Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/02/2021, 19:33
210225-ckt8nv3sn2 1025/02/2021, 19:29
210225-3e1s9c98dn 1011/02/2021, 15:28
210211-8grt4rpew2 1011/02/2021, 08:01
210211-4q732bhs9s 10Analysis
-
max time kernel
600s -
max time network
601s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25/02/2021, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
4c765049f292cb94f47f91dbe243d4b2.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
4c765049f292cb94f47f91dbe243d4b2.exe
-
Size
912KB
-
MD5
4c765049f292cb94f47f91dbe243d4b2
-
SHA1
610911bf779ba590ad382be6f8ed799171d12f50
-
SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
-
SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584
Malware Config
Extracted
Family
trickbot
Version
2000025
Botnet
tot39
C2
134.119.186.200:443
45.14.226.115:443
85.204.116.134:443
45.89.127.240:443
195.123.241.195:443
188.34.142.248:443
185.234.72.84:443
108.170.20.72:443
94.158.245.54:443
134.119.186.201:443
45.83.129.224:443
85.93.159.98:449
92.242.214.203:449
202.21.103.194:449
169.239.45.42:449
45.234.248.66:449
103.91.244.102:449
118.67.216.238:449
117.212.193.62:449
201.184.190.59:449
103.29.185.138:449
79.122.166.236:449
37.143.150.186:449
179.191.108.58:449
85.159.214.61:443
149.56.80.31:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1016 4c765049f292cb94f47f91dbe243d4b2.exe -
Loads dropped DLL 2 IoCs
pid Process 1636 4c765049f292cb94f47f91dbe243d4b2.exe 1636 4c765049f292cb94f47f91dbe243d4b2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 myexternalip.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe File created C:\Program Files (x86)\DinoComp\SiteSecurityServiceState.txt wermgr.exe File created C:\Program Files (x86)\DinoComp\cn\waptmmma.txt wermgr.exe File created C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 752 cmd.exe 752 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1788 wermgr.exe Token: SeDebugPrivilege 752 cmd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1636 4c765049f292cb94f47f91dbe243d4b2.exe 1636 4c765049f292cb94f47f91dbe243d4b2.exe 1016 4c765049f292cb94f47f91dbe243d4b2.exe 1016 4c765049f292cb94f47f91dbe243d4b2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1016 1636 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1636 wrote to memory of 1016 1636 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1636 wrote to memory of 1016 1636 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1636 wrote to memory of 1016 1636 4c765049f292cb94f47f91dbe243d4b2.exe 29 PID 1016 wrote to memory of 1020 1016 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1016 wrote to memory of 1020 1016 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1016 wrote to memory of 1020 1016 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1016 wrote to memory of 1020 1016 4c765049f292cb94f47f91dbe243d4b2.exe 30 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1016 wrote to memory of 1788 1016 4c765049f292cb94f47f91dbe243d4b2.exe 31 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32 PID 1788 wrote to memory of 752 1788 wermgr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵PID:1020
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-