Analysis
-
max time kernel
85s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 10:56
Static task
static1
Behavioral task
behavioral1
Sample
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe
Resource
win7v20201028
General
-
Target
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe
-
Size
835KB
-
MD5
b77dbb9639819e23e228d0ecb25f6a60
-
SHA1
34e380337abcc97b1b848f1d2de5aea599af5c7e
-
SHA256
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1
-
SHA512
a49a8bf8fda1c1812c14f720c42495300090750a720b1057cb0fe6ae6b83744663f128b1f570b57d62044d4a226fb0808cb5e64ec5e145e114f4249829fb5194
Malware Config
Extracted
trickbot
100010
rob38
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1644 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exedescription pid process target process PID 1852 wrote to memory of 1700 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1700 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1700 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1700 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1852 wrote to memory of 1644 1852 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe"C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1644-7-0x0000000000000000-mapping.dmp
-
memory/1644-8-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1644-9-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1852-2-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/1852-3-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/1852-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1852-5-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1852-6-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB