Overview
overview
10Static
static
0a30c8ec3a...eb.exe
windows7_x64
100a30c8ec3a...eb.exe
windows10_x64
100e5992163d...9c.exe
windows7_x64
100e5992163d...9c.exe
windows10_x64
1017476cfc79...b97b55
linux_amd64
17476cfc79...b97b55
linux_mipsel
17476cfc79...b97b55
linux_mips
1ba5ce4390...83.exe
windows7_x64
101ba5ce4390...83.exe
windows10_x64
101d1003dba4...90.exe
windows7_x64
101d1003dba4...90.exe
windows10_x64
102994de3557...5d.exe
windows7_x64
102994de3557...5d.exe
windows10_x64
10502ef08d3a...82.exe
windows7_x64
10502ef08d3a...82.exe
windows10_x64
10510ca04bda...6e.exe
windows7_x64
10510ca04bda...6e.exe
windows10_x64
1059ff60ff16...be.exe
windows7_x64
1059ff60ff16...be.exe
windows10_x64
105f3aa837a2...b4.exe
windows7_x64
105f3aa837a2...b4.exe
windows10_x64
1060dd8ddc33...ce.exe
windows7_x64
1060dd8ddc33...ce.exe
windows10_x64
1065f262b210...f0f6b3
linux_mips
6a229bd180...afae50
linux_amd64
6a229bd180...afae50
linux_mipsel
6a229bd180...afae50
linux_mips
6d75489cc9...e8.exe
windows7_x64
106d75489cc9...e8.exe
windows10_x64
10860a424a67...f9.exe
windows7_x64
10860a424a67...f9.exe
windows10_x64
108656f06dda...af.exe
windows7_x64
10Analysis
-
max time kernel
79s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:34
Static task
static1
Behavioral task
behavioral1
Sample
0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
ubuntu-amd64
Behavioral task
behavioral6
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
debian9-mipsel
Behavioral task
behavioral7
Sample
17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55
Resource
debian9-mipsbe
Behavioral task
behavioral8
Sample
1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83.exe
Resource
win7v20201028
Behavioral task
behavioral9
Sample
1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590.exe
Resource
win7v20201028
Behavioral task
behavioral11
Sample
1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe
Resource
win7v20201028
Behavioral task
behavioral13
Sample
2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182.exe
Resource
win7v20201028
Behavioral task
behavioral15
Sample
502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e.exe
Resource
win7v20201028
Behavioral task
behavioral17
Sample
510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be.exe
Resource
win7v20201028
Behavioral task
behavioral19
Sample
59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4.exe
Resource
win7v20201028
Behavioral task
behavioral21
Sample
5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Resource
win7v20201028
Behavioral task
behavioral23
Sample
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
65f262b210c258048e07f19bb1652a88c1e4bf77d615bb387793038249f0f6b3
Resource
debian9-mipsbe
Behavioral task
behavioral25
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
ubuntu-amd64
Behavioral task
behavioral26
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
debian9-mipsel
Behavioral task
behavioral27
Sample
6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50
Resource
debian9-mipsbe
Behavioral task
behavioral28
Sample
6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8.exe
Resource
win7v20201028
Behavioral task
behavioral29
Sample
6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe
Resource
win7v20201028
Behavioral task
behavioral31
Sample
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe
Resource
win10v20201028
General
-
Target
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe
-
Size
432KB
-
MD5
2416b3fead57166f33e05c52bc35faeb
-
SHA1
29a0be9b3e09758c3b40400e6a971fa6c85f14f1
-
SHA256
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9
-
SHA512
a94cf5d20d3e923ba9fb8055752efe372bc4553d5c77a5c04eb84d3f3933c7014059bc0ed9361aaf196ca9510b15f386cadb14e85b3c9992be066d8eb4773069
Malware Config
Extracted
trickbot
100009
tot5
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exepid process 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe -
Loads dropped DLL 1 IoCs
Processes:
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exepid process 868 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1188 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exedescription pid process target process PID 868 wrote to memory of 1672 868 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe PID 868 wrote to memory of 1672 868 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe PID 868 wrote to memory of 1672 868 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe PID 868 wrote to memory of 1672 868 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe PID 1672 wrote to memory of 1188 1672 860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe"C:\Users\Admin\AppData\Local\Temp\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DesktopColor\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exeC:\Users\Admin\AppData\Roaming\DesktopColor\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exeMD5
2416b3fead57166f33e05c52bc35faeb
SHA129a0be9b3e09758c3b40400e6a971fa6c85f14f1
SHA256860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9
SHA512a94cf5d20d3e923ba9fb8055752efe372bc4553d5c77a5c04eb84d3f3933c7014059bc0ed9361aaf196ca9510b15f386cadb14e85b3c9992be066d8eb4773069
-
\Users\Admin\AppData\Roaming\DesktopColor\860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9.exeMD5
2416b3fead57166f33e05c52bc35faeb
SHA129a0be9b3e09758c3b40400e6a971fa6c85f14f1
SHA256860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9
SHA512a94cf5d20d3e923ba9fb8055752efe372bc4553d5c77a5c04eb84d3f3933c7014059bc0ed9361aaf196ca9510b15f386cadb14e85b3c9992be066d8eb4773069
-
memory/1188-5-0x0000000000000000-mapping.dmp
-
memory/1672-3-0x0000000000000000-mapping.dmp