Analysis
-
max time kernel
128s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 23:57
Static task
static1
Behavioral task
behavioral1
Sample
saved.png.exe
Resource
win7v20201028
General
-
Target
saved.png.exe
-
Size
432KB
-
MD5
0739c8b902eb6b89666d31b744eeb90e
-
SHA1
64cb9f5da3ddc769b438c43b994e47487c744cd2
-
SHA256
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
-
SHA512
5c73dca3565e08fba8ad42676237dfe0241a241187cfa2548551ae041569d03886fee580f708e3c43b3dc8e04352a111f2747a6b1d07306764084817ddab3363
Malware Config
Extracted
trickbot
100009
tot5
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
saved.exepid process 3336 saved.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 652 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
saved.png.exesaved.exedescription pid process target process PID 60 wrote to memory of 3336 60 saved.png.exe saved.exe PID 60 wrote to memory of 3336 60 saved.png.exe saved.exe PID 60 wrote to memory of 3336 60 saved.png.exe saved.exe PID 3336 wrote to memory of 652 3336 saved.exe wermgr.exe PID 3336 wrote to memory of 652 3336 saved.exe wermgr.exe PID 3336 wrote to memory of 652 3336 saved.exe wermgr.exe PID 3336 wrote to memory of 652 3336 saved.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\saved.png.exe"C:\Users\Admin\AppData\Local\Temp\saved.png.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DesktopColor\saved.exeC:\Users\Admin\AppData\Roaming\DesktopColor\saved.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\saved.exeMD5
0739c8b902eb6b89666d31b744eeb90e
SHA164cb9f5da3ddc769b438c43b994e47487c744cd2
SHA256ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
SHA5125c73dca3565e08fba8ad42676237dfe0241a241187cfa2548551ae041569d03886fee580f708e3c43b3dc8e04352a111f2747a6b1d07306764084817ddab3363
-
C:\Users\Admin\AppData\Roaming\DesktopColor\saved.exeMD5
0739c8b902eb6b89666d31b744eeb90e
SHA164cb9f5da3ddc769b438c43b994e47487c744cd2
SHA256ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
SHA5125c73dca3565e08fba8ad42676237dfe0241a241187cfa2548551ae041569d03886fee580f708e3c43b3dc8e04352a111f2747a6b1d07306764084817ddab3363
-
memory/652-5-0x0000000000000000-mapping.dmp
-
memory/3336-2-0x0000000000000000-mapping.dmp