Resubmissions
25-02-2021 19:33
210225-ckt8nv3sn2 1025-02-2021 19:29
210225-3e1s9c98dn 1011-02-2021 15:28
210211-8grt4rpew2 1011-02-2021 08:01
210211-4q732bhs9s 10Analysis
-
max time kernel
44s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-02-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
4c765049f292cb94f47f91dbe243d4b2.exe
Resource
win7v20201028
General
-
Target
4c765049f292cb94f47f91dbe243d4b2.exe
-
Size
912KB
-
MD5
4c765049f292cb94f47f91dbe243d4b2
-
SHA1
610911bf779ba590ad382be6f8ed799171d12f50
-
SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
-
SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
Malware Config
Extracted
trickbot
2000025
tot39
134.119.186.200:443
45.14.226.115:443
85.204.116.134:443
45.89.127.240:443
195.123.241.195:443
188.34.142.248:443
185.234.72.84:443
108.170.20.72:443
94.158.245.54:443
134.119.186.201:443
45.83.129.224:443
85.93.159.98:449
92.242.214.203:449
202.21.103.194:449
169.239.45.42:449
45.234.248.66:449
103.91.244.102:449
118.67.216.238:449
117.212.193.62:449
201.184.190.59:449
103.29.185.138:449
79.122.166.236:449
37.143.150.186:449
179.191.108.58:449
85.159.214.61:443
149.56.80.31:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
4c765049f292cb94f47f91dbe243d4b2.exepid process 3140 4c765049f292cb94f47f91dbe243d4b2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 wtfismyip.com -
Drops file in Program Files directory 2 IoCs
Processes:
4c765049f292cb94f47f91dbe243d4b2.exedescription ioc process File created C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File opened for modification C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1404 wermgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4c765049f292cb94f47f91dbe243d4b2.exe4c765049f292cb94f47f91dbe243d4b2.exepid process 1400 4c765049f292cb94f47f91dbe243d4b2.exe 1400 4c765049f292cb94f47f91dbe243d4b2.exe 3140 4c765049f292cb94f47f91dbe243d4b2.exe 3140 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4c765049f292cb94f47f91dbe243d4b2.exe4c765049f292cb94f47f91dbe243d4b2.exedescription pid process target process PID 1400 wrote to memory of 3140 1400 4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe PID 1400 wrote to memory of 3140 1400 4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe PID 1400 wrote to memory of 3140 1400 4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe PID 3140 wrote to memory of 748 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe PID 3140 wrote to memory of 748 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe PID 3140 wrote to memory of 1404 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe PID 3140 wrote to memory of 1404 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe PID 3140 wrote to memory of 1404 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe PID 3140 wrote to memory of 1404 3140 4c765049f292cb94f47f91dbe243d4b2.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exeMD5
4c765049f292cb94f47f91dbe243d4b2
SHA1610911bf779ba590ad382be6f8ed799171d12f50
SHA25691283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
SHA512d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
-
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exeMD5
4c765049f292cb94f47f91dbe243d4b2
SHA1610911bf779ba590ad382be6f8ed799171d12f50
SHA25691283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
SHA512d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ffMD5
15907d9d2a3108ca7c5a863de29462e2
SHA1b3a5e8a7291089ef600dcd9ef6ece33118021b8b
SHA2561112f9a201596d4c8045da5e10001d27bb1cd50366b97f23edef2d7d2145af40
SHA5124c3915472d19526bfdfa0b56fc34d8c15f9d246c23cb4ccd664f7c9e93ea54aee4f9e31511c203e1e574f266d38e2b8d2c0ffbd5d6f0cc7a246ded54984d90f7
-
memory/1400-2-0x0000000003DB0000-0x0000000003DE8000-memory.dmpFilesize
224KB
-
memory/1400-3-0x0000000003D70000-0x0000000003DA6000-memory.dmpFilesize
216KB
-
memory/1404-12-0x0000000000000000-mapping.dmp
-
memory/1404-14-0x0000023671D30000-0x0000023671D31000-memory.dmpFilesize
4KB
-
memory/1404-13-0x0000023671C20000-0x0000023671C47000-memory.dmpFilesize
156KB
-
memory/3140-4-0x0000000000000000-mapping.dmp
-
memory/3140-8-0x0000000003FC0000-0x0000000003FF8000-memory.dmpFilesize
224KB
-
memory/3140-11-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3140-10-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB