Analysis
-
max time kernel
130s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe
Resource
win7v20201028
General
-
Target
69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe
-
Size
612KB
-
MD5
69dfcd212bbc63f84d8c4d4e7f0b1b2f
-
SHA1
7ad131bf48afed34814f5b986aee86f66ed834ff
-
SHA256
cd498b2426b6783c4f1560b0db54783b4ec8b590db1a3bb23e1207263749ee28
-
SHA512
1cbd6b9fdd4b2b181beea93a245151b24b921a066874c6d8da26277cbd6297f3d638762c0026ff5aba5d2eb5ab54fe052691adaa19ffdc1a2fda0da7f356555e
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 920 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
69dfcd212bbc63f84d8c4d4e7f0b1b2f.exepid process 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
69dfcd212bbc63f84d8c4d4e7f0b1b2f.exedescription pid process target process PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe PID 1744 wrote to memory of 920 1744 69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe"C:\Users\Admin\AppData\Local\Temp\69dfcd212bbc63f84d8c4d4e7f0b1b2f.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-5-0x0000000000000000-mapping.dmp
-
memory/1744-4-0x0000000000290000-0x00000000002CC000-memory.dmpFilesize
240KB
-
memory/1744-6-0x0000000001DA0000-0x0000000001DA4000-memory.dmpFilesize
16KB
-
memory/1744-7-0x0000000002810000-0x0000000002814000-memory.dmpFilesize
16KB