Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 06:33
Static task
static1
Behavioral task
behavioral1
Sample
088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe
Resource
win7v20201028
General
-
Target
088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe
-
Size
532KB
-
MD5
2939f396d5b175b2e1f28b05c09e812b
-
SHA1
d040e2a1d29f0b37a5e888d2402432d78440cb54
-
SHA256
088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22
-
SHA512
ac18886ead5c6e9476e36c0af5bf0a7a9837d8cb9f8fa12fa40c77492c2bdce6cfa33d074d45ca46658a9895fb4dce19824af578431915a696449cd5f3b0eb94
Malware Config
Extracted
trickbot
100015
yas58
67.48.36.18:449
46.254.128.174:449
41.216.166.142:449
181.143.251.154:449
77.232.163.203:449
87.97.178.92:449
185.94.172.15:449
185.230.5.43:443
91.243.125.5:443
185.242.168.118:443
201.23.76.18:443
180.178.109.222:443
202.131.227.229:443
163.53.83.117:443
45.235.5.162:443
185.189.55.207:449
103.36.48.159:449
168.253.208.234:449
41.60.233.170:449
170.79.181.188:449
177.101.15.65:449
194.156.81.206:443
103.66.72.217:443
113.161.174.240:443
185.164.41.190:443
181.112.188.78:443
103.82.146.212:443
186.183.184.218:443
78.158.171.245:443
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1356 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exedescription pid process target process PID 776 wrote to memory of 608 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe cmd.exe PID 776 wrote to memory of 608 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe cmd.exe PID 776 wrote to memory of 608 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe cmd.exe PID 776 wrote to memory of 608 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe cmd.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe PID 776 wrote to memory of 1356 776 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe"C:\Users\Admin\AppData\Local\Temp\088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/776-3-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/776-4-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/776-5-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1356-6-0x0000000000000000-mapping.dmp
-
memory/1356-7-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1356-8-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB