Resubmissions
09-02-2021 11:39
210209-lfyp24da5a 1023-01-2021 17:01
210123-4xx12ayy3j 1019-01-2021 14:31
210119-mb2j2mf9t2 1019-01-2021 14:31
210119-kh2vsarw2e 1018-01-2021 18:05
210118-e5d7l4pynn 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 18:05
Static task
static1
Behavioral task
behavioral1
Sample
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
Resource
win7v20201028
General
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
-
Size
532KB
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
Malware Config
Extracted
trickbot
2000020
tot26
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443
177.91.179.128:443
178.132.223.36:443
178.134.55.190:443
178.173.142.97:443
180.210.190.250:443
181.113.117.150:443
181.211.191.242:443
186.101.239.15:443
186.144.151.131:443
186.209.104.74:443
186.227.216.70:449
188.190.240.226:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Loads dropped DLL 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2020 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exedescription pid process target process PID 1432 wrote to memory of 1860 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1432 wrote to memory of 1860 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1432 wrote to memory of 1860 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1432 wrote to memory of 1860 1432 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1860 wrote to memory of 2020 1860 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeC:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
memory/1432-13-0x0000000002890000-0x0000000002894000-memory.dmpFilesize
16KB
-
memory/1432-5-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/1432-4-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1432-12-0x0000000000280000-0x0000000000284000-memory.dmpFilesize
16KB
-
memory/1860-15-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/1860-8-0x0000000000000000-mapping.dmp
-
memory/1860-16-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/1860-17-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1860-22-0x00000000027C0000-0x00000000027C4000-memory.dmpFilesize
16KB
-
memory/1860-21-0x00000000002C0000-0x00000000002C4000-memory.dmpFilesize
16KB
-
memory/2020-18-0x0000000000000000-mapping.dmp
-
memory/2020-19-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/2020-20-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB