Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 14:33
Static task
static1
Behavioral task
behavioral1
Sample
redbutton.png.exe
Resource
win7v20210408
General
-
Target
redbutton.png.exe
-
Size
644KB
-
MD5
0de5c20eff6c993ab8ee0dd9d2d6f9f1
-
SHA1
a1782a3323d625684555af7c4144e2422107dafb
-
SHA256
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
-
SHA512
c6c9dffa4f4e8f6a216ae3b182db4b37f2e39f12e6de43cfabccc3e04968e6c354a30d22bad672dc60eae2e03355154dc856b9b4c33a1d5341d4a51398ca2bd7
Malware Config
Extracted
trickbot
2000029
tot94
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 192 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
redbutton.png.exepid process 744 redbutton.png.exe 744 redbutton.png.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
redbutton.png.exedescription pid process target process PID 744 wrote to memory of 2800 744 redbutton.png.exe cmd.exe PID 744 wrote to memory of 2800 744 redbutton.png.exe cmd.exe PID 744 wrote to memory of 3344 744 redbutton.png.exe cmd.exe PID 744 wrote to memory of 3344 744 redbutton.png.exe cmd.exe PID 744 wrote to memory of 192 744 redbutton.png.exe wermgr.exe PID 744 wrote to memory of 192 744 redbutton.png.exe wermgr.exe PID 744 wrote to memory of 192 744 redbutton.png.exe wermgr.exe PID 744 wrote to memory of 192 744 redbutton.png.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵PID:2800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵PID:3344
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:192
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/192-121-0x0000000000000000-mapping.dmp
-
memory/192-123-0x000001FB170B0000-0x000001FB170B1000-memory.dmpFilesize
4KB
-
memory/192-122-0x000001FB17070000-0x000001FB17099000-memory.dmpFilesize
164KB
-
memory/744-114-0x00000000024F0000-0x000000000252F000-memory.dmpFilesize
252KB
-
memory/744-117-0x00000000022A0000-0x00000000022DC000-memory.dmpFilesize
240KB
-
memory/744-118-0x0000000002531000-0x000000000256A000-memory.dmpFilesize
228KB
-
memory/744-120-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/744-119-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB