Resubmissions
09-02-2021 11:39
210209-lfyp24da5a 1023-01-2021 17:01
210123-4xx12ayy3j 1019-01-2021 14:31
210119-mb2j2mf9t2 1019-01-2021 14:31
210119-kh2vsarw2e 1018-01-2021 18:05
210118-e5d7l4pynn 10Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
Resource
win7v20201028
General
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
-
Size
532KB
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
Malware Config
Extracted
trickbot
2000020
tot26
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443
177.91.179.128:443
178.132.223.36:443
178.134.55.190:443
178.173.142.97:443
180.210.190.250:443
181.113.117.150:443
181.211.191.242:443
186.101.239.15:443
186.144.151.131:443
186.209.104.74:443
186.227.216.70:449
188.190.240.226:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 checkip.amazonaws.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3724 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 3932 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exedescription pid process target process PID 3932 wrote to memory of 3988 3932 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 3932 wrote to memory of 3988 3932 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 3932 wrote to memory of 3988 3932 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 3988 wrote to memory of 3724 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 3988 wrote to memory of 3724 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 3988 wrote to memory of 3724 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 3988 wrote to memory of 3724 3988 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeC:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
memory/3724-13-0x0000000000000000-mapping.dmp
-
memory/3724-14-0x0000024CCEFD0000-0x0000024CCEFF7000-memory.dmpFilesize
156KB
-
memory/3724-15-0x0000024CCF1E0000-0x0000024CCF1E1000-memory.dmpFilesize
4KB
-
memory/3932-4-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/3988-5-0x0000000000000000-mapping.dmp
-
memory/3988-11-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/3988-10-0x00000000021F0000-0x00000000021F2000-memory.dmpFilesize
8KB
-
memory/3988-12-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB