Resubmissions
25-02-2021 19:33
210225-ckt8nv3sn2 1025-02-2021 19:29
210225-3e1s9c98dn 1011-02-2021 15:28
210211-8grt4rpew2 1011-02-2021 08:01
210211-4q732bhs9s 10Analysis
-
max time kernel
1727s -
max time network
1729s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-02-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
4c765049f292cb94f47f91dbe243d4b2.exe
Resource
win7v20201028
General
-
Target
4c765049f292cb94f47f91dbe243d4b2.exe
-
Size
912KB
-
MD5
4c765049f292cb94f47f91dbe243d4b2
-
SHA1
610911bf779ba590ad382be6f8ed799171d12f50
-
SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
-
SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
Malware Config
Extracted
trickbot
2000025
tot39
134.119.186.200:443
45.14.226.115:443
85.204.116.134:443
45.89.127.240:443
195.123.241.195:443
188.34.142.248:443
185.234.72.84:443
108.170.20.72:443
94.158.245.54:443
134.119.186.201:443
45.83.129.224:443
85.93.159.98:449
92.242.214.203:449
202.21.103.194:449
169.239.45.42:449
45.234.248.66:449
103.91.244.102:449
118.67.216.238:449
117.212.193.62:449
201.184.190.59:449
103.29.185.138:449
79.122.166.236:449
37.143.150.186:449
179.191.108.58:449
85.159.214.61:443
149.56.80.31:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 21 1752 cmd.exe 22 1888 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 4c765049f292cb94f47f91dbe243d4b2.exe -
Loads dropped DLL 2 IoCs
pid Process 1812 4c765049f292cb94f47f91dbe243d4b2.exe 1812 4c765049f292cb94f47f91dbe243d4b2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipecho.net -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File opened for modification C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File created C:\Program Files (x86)\DinoComp\AlternateServices.txt wermgr.exe File created C:\Program Files (x86)\DinoComp\cn\quvibqes.txt wermgr.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1132 net.exe 1832 net.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1516 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 620 cmd.exe 1752 cmd.exe 620 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1224 wermgr.exe Token: SeDebugPrivilege 620 cmd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1812 4c765049f292cb94f47f91dbe243d4b2.exe 1812 4c765049f292cb94f47f91dbe243d4b2.exe 1672 4c765049f292cb94f47f91dbe243d4b2.exe 1672 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 1672 1812 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1812 wrote to memory of 1672 1812 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1812 wrote to memory of 1672 1812 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1812 wrote to memory of 1672 1812 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1672 wrote to memory of 1516 1672 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1672 wrote to memory of 1516 1672 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1672 wrote to memory of 1516 1672 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1672 wrote to memory of 1516 1672 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1672 wrote to memory of 1224 1672 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32 PID 1224 wrote to memory of 620 1224 wermgr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵PID:1516
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1752 -
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:1516
-
-
C:\Windows\system32\net.exenet config workstation5⤵PID:900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:944
-
-
-
C:\Windows\system32\net.exenet view /all5⤵
- Discovers systems in the same network
PID:1132
-
-
C:\Windows\system32\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:1832
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts5⤵PID:2008
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts5⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Blocklisted process makes network request
PID:1888
-
-
-