Overview
overview
10Static
static
0a30c8ec3a...eb.exe
windows7_x64
100a30c8ec3a...eb.exe
windows10_x64
100e5992163d...9c.exe
windows7_x64
100e5992163d...9c.exe
windows10_x64
1017476cfc79...b97b55
linux_amd64
17476cfc79...b97b55
linux_mipsel
17476cfc79...b97b55
linux_mips
1ba5ce4390...83.exe
windows7_x64
101ba5ce4390...83.exe
windows10_x64
101d1003dba4...90.exe
windows7_x64
101d1003dba4...90.exe
windows10_x64
102994de3557...5d.exe
windows7_x64
102994de3557...5d.exe
windows10_x64
10502ef08d3a...82.exe
windows7_x64
10502ef08d3a...82.exe
windows10_x64
10510ca04bda...6e.exe
windows7_x64
10510ca04bda...6e.exe
windows10_x64
1059ff60ff16...be.exe
windows7_x64
1059ff60ff16...be.exe
windows10_x64
105f3aa837a2...b4.exe
windows7_x64
105f3aa837a2...b4.exe
windows10_x64
1060dd8ddc33...ce.exe
windows7_x64
1060dd8ddc33...ce.exe
windows10_x64
1065f262b210...f0f6b3
linux_mips
6a229bd180...afae50
linux_amd64
6a229bd180...afae50
linux_mipsel
6a229bd180...afae50
linux_mips
6d75489cc9...e8.exe
windows7_x64
106d75489cc9...e8.exe
windows10_x64
10860a424a67...f9.exe
windows7_x64
10860a424a67...f9.exe
windows10_x64
108656f06dda...af.exe
windows7_x64
10Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:34
Static task
static1
Behavioral task
behavioral1
Sample
0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
ubuntu-amd64
Behavioral task
behavioral6
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
debian9-mipsel
Behavioral task
behavioral7
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
debian9-mipsbe
Behavioral task
behavioral8
Sample
1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83.exe
Resource
win7v20201028
Behavioral task
behavioral9
Sample
1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590.exe
Resource
win7v20201028
Behavioral task
behavioral11
Sample
1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe
Resource
win7v20201028
Behavioral task
behavioral13
Sample
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182.exe
Resource
win7v20201028
Behavioral task
behavioral15
Sample
502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e.exe
Resource
win7v20201028
Behavioral task
behavioral17
Sample
510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be.exe
Resource
win7v20201028
Behavioral task
behavioral19
Sample
59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4.exe
Resource
win7v20201028
Behavioral task
behavioral21
Sample
5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Resource
win7v20201028
Behavioral task
behavioral23
Sample
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
65f262b210c258048e07f19bb1652a88c1e4bf77d615bb387793038249f0f6b3
Resource
debian9-mipsbe
Behavioral task
behavioral25
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
ubuntu-amd64
Behavioral task
behavioral26
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
debian9-mipsel
Behavioral task
behavioral27
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
debian9-mipsbe
Behavioral task
behavioral28
Sample
6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8.exe
Resource
win7v20201028
Behavioral task
behavioral29
Sample
6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe
Resource
win7v20201028
Behavioral task
behavioral31
Sample
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe
Resource
win10v20201028
General
-
Target
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe
-
Size
432KB
-
MD5
f61419f981d3972f24a149c338f7d163
-
SHA1
d1552af73d6150472aff0b9541c714048881720d
-
SHA256
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d
-
SHA512
74ad74d0ccfec137def0e5c17b9521b2d1efba20970e5e8e5d0432db465bafbf6d26db6c9852fb5f8200c31abfabfa0dc7df5e3c8835d7cc89ad80141ab0b2c5
Malware Config
Extracted
trickbot
100009
tot5
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exepid process 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe -
Loads dropped DLL 1 IoCs
Processes:
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exepid process 1676 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1220 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exedescription pid process target process PID 1676 wrote to memory of 980 1676 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe PID 1676 wrote to memory of 980 1676 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe PID 1676 wrote to memory of 980 1676 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe PID 1676 wrote to memory of 980 1676 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe PID 980 wrote to memory of 1220 980 2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe"C:\Users\Admin\AppData\Local\Temp\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DesktopColor\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exeC:\Users\Admin\AppData\Roaming\DesktopColor\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exeMD5
f61419f981d3972f24a149c338f7d163
SHA1d1552af73d6150472aff0b9541c714048881720d
SHA2562994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d
SHA51274ad74d0ccfec137def0e5c17b9521b2d1efba20970e5e8e5d0432db465bafbf6d26db6c9852fb5f8200c31abfabfa0dc7df5e3c8835d7cc89ad80141ab0b2c5
-
\Users\Admin\AppData\Roaming\DesktopColor\2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exeMD5
f61419f981d3972f24a149c338f7d163
SHA1d1552af73d6150472aff0b9541c714048881720d
SHA2562994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d
SHA51274ad74d0ccfec137def0e5c17b9521b2d1efba20970e5e8e5d0432db465bafbf6d26db6c9852fb5f8200c31abfabfa0dc7df5e3c8835d7cc89ad80141ab0b2c5
-
memory/980-3-0x0000000000000000-mapping.dmp
-
memory/1220-5-0x0000000000000000-mapping.dmp