Analysis
-
max time kernel
56s -
max time network
55s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-03-2021 17:19
Static task
static1
Behavioral task
behavioral1
Sample
ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe
Resource
win7v20201028
General
-
Target
ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe
-
Size
798KB
-
MD5
5dbcbbe197be8385ba34485bf3be0326
-
SHA1
d6eb690bb899b5cd5b0933fac5e24bf6686850a3
-
SHA256
ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590
-
SHA512
9bfb4917cce802379ad73c08623dbee743b072f0d0996d11f7cb02ea66c7d4645230268b244b8e21f8eb7702f98bfa16472d1e3ae8534ef6abeb5ccc0ddaa565
Malware Config
Extracted
trickbot
100010
rob35
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 3 284 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 284 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exedescription pid process target process PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe PID 1888 wrote to memory of 284 1888 ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe"C:\Users\Admin\AppData\Local\Temp\ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/284-7-0x0000000000000000-mapping.dmp
-
memory/284-8-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/284-9-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1888-3-0x0000000000240000-0x0000000000245000-memory.dmpFilesize
20KB
-
memory/1888-4-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/1888-5-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1888-6-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB