Analysis
-
max time kernel
1741s -
max time network
1741s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 08:58
Static task
static1
General
-
Target
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe
-
Size
835KB
-
MD5
b77dbb9639819e23e228d0ecb25f6a60
-
SHA1
34e380337abcc97b1b848f1d2de5aea599af5c7e
-
SHA256
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1
-
SHA512
a49a8bf8fda1c1812c14f720c42495300090750a720b1057cb0fe6ae6b83744663f128b1f570b57d62044d4a226fb0808cb5e64ec5e145e114f4249829fb5194
Malware Config
Extracted
trickbot
100010
rob38
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipecho.net -
Drops file in System32 directory 1 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Windows\system32\cn\tyqiwr.txt wermgr.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1296 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
svchost.exesvchost.exepid process 1872 svchost.exe 1872 svchost.exe 1156 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 1396 wermgr.exe Token: SeDebugPrivilege 1872 svchost.exe -
Suspicious use of WriteProcessMemory 852 IoCs
Processes:
e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exewermgr.exedescription pid process target process PID 844 wrote to memory of 468 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 468 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 468 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 468 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 844 wrote to memory of 1396 844 e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe wermgr.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe PID 1396 wrote to memory of 1872 1396 wermgr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe"C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\net.exenet config workstation4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\system32\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all /domain4⤵
- Discovers systems in the same network
-
C:\Windows\system32\nltest.exenltest /domain_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-20-0x0000000000000000-mapping.dmp
-
memory/592-17-0x0000000000000000-mapping.dmp
-
memory/844-5-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/844-2-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/844-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/844-6-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/844-3-0x0000000000240000-0x0000000000245000-memory.dmpFilesize
20KB
-
memory/888-18-0x0000000000000000-mapping.dmp
-
memory/1156-13-0x0000000000000000-mapping.dmp
-
memory/1296-16-0x0000000000000000-mapping.dmp
-
memory/1396-9-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1396-8-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1396-7-0x0000000000000000-mapping.dmp
-
memory/1568-21-0x0000000000000000-mapping.dmp
-
memory/1672-19-0x0000000000000000-mapping.dmp
-
memory/1872-12-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1872-10-0x0000000000000000-mapping.dmp
-
memory/1984-22-0x0000000000000000-mapping.dmp