Resubmissions
09-02-2021 11:39
210209-lfyp24da5a 1023-01-2021 17:01
210123-4xx12ayy3j 1019-01-2021 14:31
210119-mb2j2mf9t2 1019-01-2021 14:31
210119-kh2vsarw2e 1018-01-2021 18:05
210118-e5d7l4pynn 10Analysis
-
max time kernel
1650s -
max time network
1727s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
Resource
win7v20201028
General
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
-
Size
532KB
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
Malware Config
Extracted
trickbot
2000020
tot26
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443
177.91.179.128:443
178.132.223.36:443
178.134.55.190:443
178.173.142.97:443
180.210.190.250:443
181.113.117.150:443
181.211.191.242:443
186.101.239.15:443
186.144.151.131:443
186.209.104.74:443
186.227.216.70:449
188.190.240.226:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Loads dropped DLL 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1444 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exedescription pid process target process PID 1152 wrote to memory of 1400 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1152 wrote to memory of 1400 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1152 wrote to memory of 1400 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1152 wrote to memory of 1400 1152 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 1400 wrote to memory of 1444 1400 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeC:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
memory/1152-12-0x0000000002510000-0x0000000002514000-memory.dmpFilesize
16KB
-
memory/1152-5-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/1152-4-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1152-13-0x0000000002600000-0x0000000002604000-memory.dmpFilesize
16KB
-
memory/1400-15-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1400-8-0x0000000000000000-mapping.dmp
-
memory/1400-16-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1400-17-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1400-21-0x0000000002550000-0x0000000002554000-memory.dmpFilesize
16KB
-
memory/1400-22-0x0000000002650000-0x0000000002654000-memory.dmpFilesize
16KB
-
memory/1444-18-0x0000000000000000-mapping.dmp
-
memory/1444-19-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/1444-20-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB