Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 08:56
Static task
static1
Behavioral task
behavioral1
Sample
0055d5a7403e27756fa208318d4218ef.exe
Resource
win7v20201028
General
-
Target
0055d5a7403e27756fa208318d4218ef.exe
-
Size
612KB
-
MD5
0055d5a7403e27756fa208318d4218ef
-
SHA1
ba62abb070f79a083e3b2630767d1830e0100f83
-
SHA256
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
-
SHA512
36a024bfef70cf2157ee99e69bc54feb0e51a3f1b0eeaa43758649f343d70cdc73195dfa25bbc32325112ac51303cc21cd8fa49537b9e06c52ba411eb0a6a2c6
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip.anysrc.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 748 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0055d5a7403e27756fa208318d4218ef.exepid process 2008 0055d5a7403e27756fa208318d4218ef.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0055d5a7403e27756fa208318d4218ef.exedescription pid process target process PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe PID 2008 wrote to memory of 748 2008 0055d5a7403e27756fa208318d4218ef.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0055d5a7403e27756fa208318d4218ef.exe"C:\Users\Admin\AppData\Local\Temp\0055d5a7403e27756fa208318d4218ef.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-5-0x0000000000000000-mapping.dmp
-
memory/2008-4-0x0000000000290000-0x00000000002CC000-memory.dmpFilesize
240KB
-
memory/2008-6-0x0000000000360000-0x0000000000364000-memory.dmpFilesize
16KB
-
memory/2008-7-0x0000000002940000-0x0000000002944000-memory.dmpFilesize
16KB