Resubmissions
25-02-2021 19:33
210225-ckt8nv3sn2 1025-02-2021 19:29
210225-3e1s9c98dn 1011-02-2021 15:28
210211-8grt4rpew2 1011-02-2021 08:01
210211-4q732bhs9s 10Analysis
-
max time kernel
1631s -
max time network
1698s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-02-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
4c765049f292cb94f47f91dbe243d4b2.exe
Resource
win7v20201028
General
-
Target
4c765049f292cb94f47f91dbe243d4b2.exe
-
Size
912KB
-
MD5
4c765049f292cb94f47f91dbe243d4b2
-
SHA1
610911bf779ba590ad382be6f8ed799171d12f50
-
SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
-
SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
Malware Config
Extracted
trickbot
2000025
tot39
134.119.186.200:443
45.14.226.115:443
85.204.116.134:443
45.89.127.240:443
195.123.241.195:443
188.34.142.248:443
185.234.72.84:443
108.170.20.72:443
94.158.245.54:443
134.119.186.201:443
45.83.129.224:443
85.93.159.98:449
92.242.214.203:449
202.21.103.194:449
169.239.45.42:449
45.234.248.66:449
103.91.244.102:449
118.67.216.238:449
117.212.193.62:449
201.184.190.59:449
103.29.185.138:449
79.122.166.236:449
37.143.150.186:449
179.191.108.58:449
85.159.214.61:443
149.56.80.31:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 38 652 cmd.exe 41 1040 cmd.exe 46 2684 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3620 4c765049f292cb94f47f91dbe243d4b2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 api.ipify.org 30 api.ipify.org -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File opened for modification C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File created C:\Program Files (x86)\DinoComp\profiles.ini wermgr.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 4396 net.exe 1800 net.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2124 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 652 cmd.exe 652 cmd.exe 1040 cmd.exe 1040 cmd.exe 652 cmd.exe 652 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4244 wermgr.exe Token: SeDebugPrivilege 652 cmd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4704 4c765049f292cb94f47f91dbe243d4b2.exe 4704 4c765049f292cb94f47f91dbe243d4b2.exe 3620 4c765049f292cb94f47f91dbe243d4b2.exe 3620 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3620 4704 4c765049f292cb94f47f91dbe243d4b2.exe 75 PID 4704 wrote to memory of 3620 4704 4c765049f292cb94f47f91dbe243d4b2.exe 75 PID 4704 wrote to memory of 3620 4704 4c765049f292cb94f47f91dbe243d4b2.exe 75 PID 3620 wrote to memory of 744 3620 4c765049f292cb94f47f91dbe243d4b2.exe 76 PID 3620 wrote to memory of 744 3620 4c765049f292cb94f47f91dbe243d4b2.exe 76 PID 3620 wrote to memory of 4244 3620 4c765049f292cb94f47f91dbe243d4b2.exe 80 PID 3620 wrote to memory of 4244 3620 4c765049f292cb94f47f91dbe243d4b2.exe 80 PID 3620 wrote to memory of 4244 3620 4c765049f292cb94f47f91dbe243d4b2.exe 80 PID 3620 wrote to memory of 4244 3620 4c765049f292cb94f47f91dbe243d4b2.exe 80 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81 PID 4244 wrote to memory of 652 4244 wermgr.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵PID:744
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1040 -
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:2124
-
-
C:\Windows\system32\net.exenet config workstation5⤵PID:4344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:3252
-
-
-
C:\Windows\system32\net.exenet view /all5⤵
- Discovers systems in the same network
PID:1800
-
-
C:\Windows\system32\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:4396
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts5⤵PID:1736
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts5⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Blocklisted process makes network request
PID:2684
-
-
-