Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-05-2021 15:04
Static task
static1
Behavioral task
behavioral1
Sample
redbutton.png.exe
Resource
win7v20210410
General
-
Target
redbutton.png.exe
-
Size
684KB
-
MD5
21eb9b5b1d887bb389530811600fa9a3
-
SHA1
da5f52ca735f10b98b1d6aca7dd86a1cde04fbbd
-
SHA256
21382e955d23c9c2ff9aa617070f33f898745d568b82338c9a4c1a1652ae5a12
-
SHA512
9e142a3a095b7e79a9ae5b05c32eb4ce96430d45b4a010239f3e0afb0e02cd79e7ccef4e3ae0a91e7ecd3a19653e7ecf7e843c754780114bc0deaae9510b5778
Malware Config
Extracted
trickbot
2000029
tot95
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1728 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
redbutton.png.exepid process 1104 redbutton.png.exe 1104 redbutton.png.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
redbutton.png.exedescription pid process target process PID 1104 wrote to memory of 1200 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 1200 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 1200 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 1200 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 844 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 844 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 844 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 844 1104 redbutton.png.exe cmd.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe PID 1104 wrote to memory of 1728 1104 redbutton.png.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1104-61-0x00000000003B0000-0x00000000003EF000-memory.dmpFilesize
252KB
-
memory/1104-64-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/1104-65-0x00000000004B1000-0x00000000004EA000-memory.dmpFilesize
228KB
-
memory/1104-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1104-66-0x00000000004F0000-0x0000000000501000-memory.dmpFilesize
68KB
-
memory/1728-68-0x0000000000000000-mapping.dmp
-
memory/1728-69-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1728-70-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB