Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 21:51
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
General
-
Target
sample.exe
-
Size
276KB
-
MD5
fe772386d4d851272a985dae3b0a254a
-
SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
-
SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
-
SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
Malware Config
Extracted
trickbot
2000016
lib11
202.136.89.226:449
202.169.244.252:449
203.176.135.38:449
212.3.104.50:449
41.203.215.122:449
41.41.179.239:449
43.239.152.240:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449
45.230.8.34:449
45.233.25.6:449
78.138.128.20:449
49.156.41.74:449
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sample.exepid process 744 sample.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3460 580 WerFault.exe sample.exe 4072 744 WerFault.exe sample.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exewermgr.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3460 WerFault.exe Token: SeBackupPrivilege 3460 WerFault.exe Token: SeDebugPrivilege 3460 WerFault.exe Token: SeDebugPrivilege 3944 wermgr.exe Token: SeDebugPrivilege 4072 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sample.exesample.exepid process 580 sample.exe 744 sample.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
sample.exesample.exedescription pid process target process PID 580 wrote to memory of 744 580 sample.exe sample.exe PID 580 wrote to memory of 744 580 sample.exe sample.exe PID 580 wrote to memory of 744 580 sample.exe sample.exe PID 744 wrote to memory of 3944 744 sample.exe wermgr.exe PID 744 wrote to memory of 3944 744 sample.exe wermgr.exe PID 744 wrote to memory of 3944 744 sample.exe wermgr.exe PID 744 wrote to memory of 3944 744 sample.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeC:\Users\Admin\AppData\Roaming\Colorwin\sample.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 4083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 4002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeMD5
fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeMD5
fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
memory/580-4-0x0000000000520000-0x0000000000554000-memory.dmpFilesize
208KB
-
memory/744-5-0x0000000000000000-mapping.dmp
-
memory/744-21-0x0000000000000000-mapping.dmp
-
memory/3460-12-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/3460-13-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/3460-15-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3944-11-0x0000000000000000-mapping.dmp
-
memory/4072-20-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/4072-23-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB