Analysis
-
max time kernel
1704s -
max time network
1768s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-01-2021 10:11
Static task
static1
General
-
Target
3285d1f22eb3b7f6acbaf7528d71714d.exe
-
Size
668KB
-
MD5
3285d1f22eb3b7f6acbaf7528d71714d
-
SHA1
8582e7f4b931d9e40f5c237a8b8ffd98ce73cb5b
-
SHA256
8f98d0e1c30fd1a365380df0aef7e89cd29ba92dc26bd1da389987616470862c
-
SHA512
b7ab23844ee27c67fa89371b55c4e59367fffaad3880bd2f3b25982cb3ff0564d5b64e919ddb7fdac8d633108cdbb5d942c59759b9cc2104a4fdf21db3df1a36
Malware Config
Extracted
trickbot
100009
mor9
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 33 1304 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Windows\system32\cn\yccudwdst.txt wermgr.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1608 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
cmd.execmd.exepid process 1624 cmd.exe 1624 cmd.exe 1304 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.execmd.exedescription pid process Token: SeDebugPrivilege 1168 wermgr.exe Token: SeDebugPrivilege 1624 cmd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3285d1f22eb3b7f6acbaf7528d71714d.exepid process 932 3285d1f22eb3b7f6acbaf7528d71714d.exe 932 3285d1f22eb3b7f6acbaf7528d71714d.exe 932 3285d1f22eb3b7f6acbaf7528d71714d.exe 932 3285d1f22eb3b7f6acbaf7528d71714d.exe -
Suspicious use of WriteProcessMemory 848 IoCs
Processes:
3285d1f22eb3b7f6acbaf7528d71714d.exewermgr.exedescription pid process target process PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 932 wrote to memory of 1168 932 3285d1f22eb3b7f6acbaf7528d71714d.exe wermgr.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe PID 1168 wrote to memory of 1624 1168 wermgr.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3285d1f22eb3b7f6acbaf7528d71714d.exe"C:\Users\Admin\AppData\Local\Temp\3285d1f22eb3b7f6acbaf7528d71714d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\net.exenet config workstation4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\system32\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all /domain4⤵
- Discovers systems in the same network
-
C:\Windows\system32\nltest.exenltest /domain_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/932-2-0x00000000003B0000-0x00000000003F0000-memory.dmpFilesize
256KB
-
memory/932-3-0x0000000001F30000-0x0000000001F6C000-memory.dmpFilesize
240KB
-
memory/1016-36-0x0000000000000000-mapping.dmp
-
memory/1060-34-0x0000000000000000-mapping.dmp
-
memory/1156-35-0x0000000000000000-mapping.dmp
-
memory/1168-4-0x0000000000000000-mapping.dmp
-
memory/1304-17-0x0000000000000000-mapping.dmp
-
memory/1396-33-0x0000000000000000-mapping.dmp
-
memory/1608-31-0x0000000000000000-mapping.dmp
-
memory/1624-5-0x0000000000000000-mapping.dmp
-
memory/1628-37-0x0000000000000000-mapping.dmp
-
memory/1676-32-0x0000000000000000-mapping.dmp