Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 12:43
Static task
static1
Behavioral task
behavioral1
Sample
uploads[1].png.0.dr.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
uploads[1].png.0.dr.exe
Resource
win10v20201028
General
-
Target
uploads[1].png.0.dr.exe
-
Size
1.3MB
-
MD5
b9ab9ac3b5335fdca292acb7ca85eb14
-
SHA1
26847a08f6e0504aff926b6278b2b8efdc90036a
-
SHA256
d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
-
SHA512
b0ed0d2a1291dc20a4a8b080c95fcdd34413cce70e95ea554675fb57a327e9b33cb79844278eb3d32398d2d2457e409ca4736ef2c24633ed8306809df7d197b1
Malware Config
Extracted
trickbot
2000022
rob1
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Tua.comTua.comTua.compid process 296 Tua.com 844 Tua.com 840 Tua.com -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeTua.comTua.compid process 1740 cmd.exe 296 Tua.com 844 Tua.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
uploads[1].png.0.dr.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce uploads[1].png.0.dr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" uploads[1].png.0.dr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tua.comdescription pid process target process PID 844 set thread context of 840 844 Tua.com Tua.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1620 wermgr.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
uploads[1].png.0.dr.execmd.execmd.exeTua.comTua.comTua.comdescription pid process target process PID 776 wrote to memory of 2016 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 2016 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 2016 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 2016 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 1980 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 1980 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 1980 776 uploads[1].png.0.dr.exe cmd.exe PID 776 wrote to memory of 1980 776 uploads[1].png.0.dr.exe cmd.exe PID 1980 wrote to memory of 1888 1980 cmd.exe certutil.exe PID 1980 wrote to memory of 1888 1980 cmd.exe certutil.exe PID 1980 wrote to memory of 1888 1980 cmd.exe certutil.exe PID 1980 wrote to memory of 1888 1980 cmd.exe certutil.exe PID 1980 wrote to memory of 1740 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1740 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1740 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1740 1980 cmd.exe cmd.exe PID 1740 wrote to memory of 1692 1740 cmd.exe findstr.exe PID 1740 wrote to memory of 1692 1740 cmd.exe findstr.exe PID 1740 wrote to memory of 1692 1740 cmd.exe findstr.exe PID 1740 wrote to memory of 1692 1740 cmd.exe findstr.exe PID 1740 wrote to memory of 576 1740 cmd.exe certutil.exe PID 1740 wrote to memory of 576 1740 cmd.exe certutil.exe PID 1740 wrote to memory of 576 1740 cmd.exe certutil.exe PID 1740 wrote to memory of 576 1740 cmd.exe certutil.exe PID 1740 wrote to memory of 296 1740 cmd.exe Tua.com PID 1740 wrote to memory of 296 1740 cmd.exe Tua.com PID 1740 wrote to memory of 296 1740 cmd.exe Tua.com PID 1740 wrote to memory of 296 1740 cmd.exe Tua.com PID 1740 wrote to memory of 1188 1740 cmd.exe PING.EXE PID 1740 wrote to memory of 1188 1740 cmd.exe PING.EXE PID 1740 wrote to memory of 1188 1740 cmd.exe PING.EXE PID 1740 wrote to memory of 1188 1740 cmd.exe PING.EXE PID 296 wrote to memory of 844 296 Tua.com Tua.com PID 296 wrote to memory of 844 296 Tua.com Tua.com PID 296 wrote to memory of 844 296 Tua.com Tua.com PID 296 wrote to memory of 844 296 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 844 wrote to memory of 840 844 Tua.com Tua.com PID 840 wrote to memory of 908 840 Tua.com wermgr.exe PID 840 wrote to memory of 908 840 Tua.com wermgr.exe PID 840 wrote to memory of 908 840 Tua.com wermgr.exe PID 840 wrote to memory of 908 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe PID 840 wrote to memory of 1620 840 Tua.com wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uploads[1].png.0.dr.exe"C:\Users\Admin\AppData\Local\Temp\uploads[1].png.0.dr.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\cmd.execmd /c fhlfszSNj2⤵PID:2016
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Brucia.xls Suo.dot & cmd < Suo.dot2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\certutil.execertutil -decode Brucia.xls Suo.dot3⤵PID:1888
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^lJeUmwiXzEXbPwzCIHvkQFe$" Estremita.adt4⤵PID:1692
-
C:\Windows\SysWOW64\certutil.execertutil -decode Ore.ini Z4⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comTua.com Z4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com Z5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe7⤵PID:908
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Appare.sysMD5
f24168a8978d6f37d25752f05efdf8c2
SHA1f0680ec42311212cef68370a83f4d62c7966099e
SHA25608459331eceb39b60a5b166ee3322767c157292dc108df54933227c6bd500b28
SHA5121d95ceeb4f861eb36b23145dc39db42bd8960f721dc6632428e2243446c1e7b02a39488c30ecaf28757b857ef78cf842ec99e11fa00380b766126fdf6134c724
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brucia.xlsMD5
82d90d91a120a19919dbc524880a2eae
SHA1b86fb4b724d11d5c412e04251e0cd830755ef007
SHA256875a4cdc9fbd55810dd252f8e35512fffb892a79e517411d1fcbd917685efc8a
SHA5121dba871074f97c68fe0c49bab166f801bcfad153be12e346f9baf39b9b1642d2db4b6255da5153ebf2994ba4c7d722011b98c4b053ece8313102995fa4e16440
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Estremita.adtMD5
8253b4f0646e3c127d146110f889215e
SHA164a92b27c3762f2b0bc6af67c1de6e006c1b820d
SHA25608607493aab770b45ffdb7ffe5c1f3a5e5fdba0b55d03251f7117ee10f4d67ad
SHA512b6013ef36f296c50ab1a1b15b27fc8b5ba840d66279fcf5eab396c1fc5058760c6f08626a1119790bccd794fad1e2eb7cb764245408ade1838926a0e4e3d5f4c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.iniMD5
6c2dfee26bbca7045c465d9c0414b652
SHA158ed46c2dc00097521d0db0819541d9e4909deb8
SHA256eeb47e521e0facfb217aef0e9c1cb57e147340b8e1c3d8e4acdff3e04dad2eef
SHA5128ddc4974e35b2fdf35556b28e4c49f3290308f537ce0f50ee6ddcd466abc8a1908c28905ac07a721f0b75f514a1b503c4464267e7bc51107a459f46c4ee93ed2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suo.dotMD5
9d88809cceb6dab6ed296d8bef0dc0d5
SHA1a31e613888ca0cb3fd77d208c8621c05d2828ab9
SHA25674e36bf70290030e791e981aca49b1cc3e4e96aa12949add2d254cad3a095d37
SHA51284efe76ccc711af625a5f6a8fd3fb92dffda62b554f44df9ff9b65152a461f1c54659dca68debef324512d97d32b677e3fe6b6210f4bbec25a1cec02c657ab8a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZMD5
89fbfd3b8f82003de0ced3fd68406bdd
SHA157b2cc29133732e93ed2cf3853476dfecc8d007c
SHA256f091e7d727e58c93bdb06ffceca3ee720a29768ff9b175c35a978f68777d5388
SHA5128aa61d225a338733fa81f7abd5c288ff14a02669393c8a2f369712da614ff582d4144c6920bb36b13a64de583918f7c5524f8f2d738291dcf1ca8c43df98beb3
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/296-15-0x0000000000000000-mapping.dmp
-
memory/576-11-0x0000000000000000-mapping.dmp
-
memory/840-33-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/840-28-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/840-32-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/844-26-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/844-22-0x0000000000000000-mapping.dmp
-
memory/1188-19-0x0000000000000000-mapping.dmp
-
memory/1620-34-0x0000000000000000-mapping.dmp
-
memory/1620-35-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1620-36-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1692-9-0x0000000000000000-mapping.dmp
-
memory/1740-8-0x0000000000000000-mapping.dmp
-
memory/1888-5-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1888-4-0x0000000000000000-mapping.dmp
-
memory/1980-3-0x0000000000000000-mapping.dmp
-
memory/2016-2-0x0000000000000000-mapping.dmp