Resubmissions
09-02-2021 11:39
210209-lfyp24da5a 1023-01-2021 17:01
210123-4xx12ayy3j 1019-01-2021 14:31
210119-mb2j2mf9t2 1019-01-2021 14:31
210119-kh2vsarw2e 1018-01-2021 18:05
210118-e5d7l4pynn 10Analysis
-
max time kernel
1734s -
max time network
1793s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-01-2021 17:01
Static task
static1
Behavioral task
behavioral1
Sample
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
Resource
win7v20201028
General
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
-
Size
532KB
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
Malware Config
Extracted
trickbot
2000020
tot26
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443
177.91.179.128:443
178.132.223.36:443
178.134.55.190:443
178.173.142.97:443
180.210.190.250:443
181.113.117.150:443
181.211.191.242:443
186.101.239.15:443
186.144.151.131:443
186.209.104.74:443
186.227.216.70:449
188.190.240.226:443
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Executes dropped EXE 1 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3508 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exepid process 1048 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exef81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exedescription pid process target process PID 1048 wrote to memory of 2192 1048 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1048 wrote to memory of 2192 1048 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 1048 wrote to memory of 2192 1048 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe PID 2192 wrote to memory of 3508 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 2192 wrote to memory of 3508 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 2192 wrote to memory of 3508 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe PID 2192 wrote to memory of 3508 2192 f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"C:\Users\Admin\AppData\Local\Temp\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeC:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
C:\Users\Admin\AppData\Roaming\DesktopColor\f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exeMD5
2f9fc8e87e0484a96e7af9757228a789
SHA111f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
SHA256f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
SHA51234fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
memory/1048-4-0x0000000002330000-0x0000000002332000-memory.dmpFilesize
8KB
-
memory/2192-5-0x0000000000000000-mapping.dmp
-
memory/2192-11-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/2192-10-0x0000000002270000-0x0000000002272000-memory.dmpFilesize
8KB
-
memory/2192-12-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3508-13-0x0000000000000000-mapping.dmp
-
memory/3508-14-0x000001AA81370000-0x000001AA81397000-memory.dmpFilesize
156KB
-
memory/3508-15-0x000001AA81490000-0x000001AA81491000-memory.dmpFilesize
4KB