Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 21:09
Static task
static1
Behavioral task
behavioral1
Sample
kwcqgsatnmwpys.exe
Resource
win7v20201028
General
-
Target
kwcqgsatnmwpys.exe
-
Size
488KB
-
MD5
d732b127b45d0775fe9040bc4ef83813
-
SHA1
977df879a204997daf4e6f35a587f09c6b7d9863
-
SHA256
e040cad9eb0815e34d1133d52e15d5a254fabbff250972329303d0cc1da15c35
-
SHA512
2e88e05b9d87643b2aad7eb28975ce012210c73763d6b412c948ad98733acd99e2ca3bddfc88930a5b575f736e3d5006ded251a9a8e3b3f213c99a6c09477cc0
Malware Config
Extracted
trickbot
100010
mor12
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
cmd.exeflow pid process 4 1532 cmd.exe 5 1532 cmd.exe 6 1532 cmd.exe 7 1532 cmd.exe 10 1532 cmd.exe 11 1532 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 1532 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
kwcqgsatnmwpys.exedescription pid process target process PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe PID 1668 wrote to memory of 1532 1668 kwcqgsatnmwpys.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kwcqgsatnmwpys.exe"C:\Users\Admin\AppData\Local\Temp\kwcqgsatnmwpys.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-2-0x0000000000000000-mapping.dmp