Analysis
-
max time kernel
105s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 07:54
Static task
static1
Behavioral task
behavioral1
Sample
7a259490a64411180dd9c14a6c42ff44.exe
Resource
win7v20201028
General
-
Target
7a259490a64411180dd9c14a6c42ff44.exe
-
Size
424KB
-
MD5
7a259490a64411180dd9c14a6c42ff44
-
SHA1
42cbd5cbe49e28fbb48f39cfd277be8c1c12fc17
-
SHA256
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
-
SHA512
f9d1bd1689b696027d6b763e901845222365cc8660a0602bddc023aae3edadc1c0fca2af53f8b52ddad0407b6dcc37fc76ad37cc59caf1c5e1dd88c20d1720cd
Malware Config
Extracted
trickbot
100009
lib5
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
7a259490a64411180dd9c14a6c42ff44.exepid process 1520 7a259490a64411180dd9c14a6c42ff44.exe -
Loads dropped DLL 1 IoCs
Processes:
7a259490a64411180dd9c14a6c42ff44.exepid process 1640 7a259490a64411180dd9c14a6c42ff44.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ident.me 13 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1512 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7a259490a64411180dd9c14a6c42ff44.exe7a259490a64411180dd9c14a6c42ff44.exedescription pid process target process PID 1640 wrote to memory of 1520 1640 7a259490a64411180dd9c14a6c42ff44.exe 7a259490a64411180dd9c14a6c42ff44.exe PID 1640 wrote to memory of 1520 1640 7a259490a64411180dd9c14a6c42ff44.exe 7a259490a64411180dd9c14a6c42ff44.exe PID 1640 wrote to memory of 1520 1640 7a259490a64411180dd9c14a6c42ff44.exe 7a259490a64411180dd9c14a6c42ff44.exe PID 1640 wrote to memory of 1520 1640 7a259490a64411180dd9c14a6c42ff44.exe 7a259490a64411180dd9c14a6c42ff44.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe PID 1520 wrote to memory of 1512 1520 7a259490a64411180dd9c14a6c42ff44.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a259490a64411180dd9c14a6c42ff44.exe"C:\Users\Admin\AppData\Local\Temp\7a259490a64411180dd9c14a6c42ff44.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DesktopColor\7a259490a64411180dd9c14a6c42ff44.exeC:\Users\Admin\AppData\Roaming\DesktopColor\7a259490a64411180dd9c14a6c42ff44.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\7a259490a64411180dd9c14a6c42ff44.exeMD5
7a259490a64411180dd9c14a6c42ff44
SHA142cbd5cbe49e28fbb48f39cfd277be8c1c12fc17
SHA256662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
SHA512f9d1bd1689b696027d6b763e901845222365cc8660a0602bddc023aae3edadc1c0fca2af53f8b52ddad0407b6dcc37fc76ad37cc59caf1c5e1dd88c20d1720cd
-
\Users\Admin\AppData\Roaming\DesktopColor\7a259490a64411180dd9c14a6c42ff44.exeMD5
7a259490a64411180dd9c14a6c42ff44
SHA142cbd5cbe49e28fbb48f39cfd277be8c1c12fc17
SHA256662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
SHA512f9d1bd1689b696027d6b763e901845222365cc8660a0602bddc023aae3edadc1c0fca2af53f8b52ddad0407b6dcc37fc76ad37cc59caf1c5e1dd88c20d1720cd
-
memory/1512-5-0x0000000000000000-mapping.dmp
-
memory/1520-3-0x0000000000000000-mapping.dmp