Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
redbutton.png.exe
Resource
win7v20210410
General
-
Target
redbutton.png.exe
-
Size
740KB
-
MD5
8e20c994daaeeba5e4d70760d73cf52e
-
SHA1
d06b99a511bbd787ac5aed453af8d64e160816fb
-
SHA256
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
-
SHA512
d6535b086a06ae5eaee2e4c7abe63ea49e0252200fda328655c2d3b59f867315dfbdb144233ea7666d7991ecb17b74cb7e7721b99c69895b23cefc44c2511a12
Malware Config
Extracted
trickbot
2000029
tot96
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ident.me 20 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3780 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
redbutton.png.exepid process 900 redbutton.png.exe 900 redbutton.png.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
redbutton.png.exedescription pid process target process PID 900 wrote to memory of 3796 900 redbutton.png.exe cmd.exe PID 900 wrote to memory of 3796 900 redbutton.png.exe cmd.exe PID 900 wrote to memory of 744 900 redbutton.png.exe cmd.exe PID 900 wrote to memory of 744 900 redbutton.png.exe cmd.exe PID 900 wrote to memory of 3780 900 redbutton.png.exe wermgr.exe PID 900 wrote to memory of 3780 900 redbutton.png.exe wermgr.exe PID 900 wrote to memory of 3780 900 redbutton.png.exe wermgr.exe PID 900 wrote to memory of 3780 900 redbutton.png.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-114-0x0000000002310000-0x000000000234F000-memory.dmpFilesize
252KB
-
memory/900-118-0x0000000002381000-0x00000000023BA000-memory.dmpFilesize
228KB
-
memory/900-117-0x0000000000680000-0x00000000006BC000-memory.dmpFilesize
240KB
-
memory/900-120-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/900-119-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/3780-121-0x0000000000000000-mapping.dmp
-
memory/3780-123-0x000001B983F10000-0x000001B983F11000-memory.dmpFilesize
4KB
-
memory/3780-122-0x000001B983ED0000-0x000001B983EF9000-memory.dmpFilesize
164KB