Analysis
-
max time kernel
138s -
max time network
168s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-06-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
1a5f3ca6597fcccd3295ead4d22ce70b.exe
Resource
win7v20210408
General
-
Target
1a5f3ca6597fcccd3295ead4d22ce70b.exe
-
Size
540KB
-
MD5
1a5f3ca6597fcccd3295ead4d22ce70b
-
SHA1
31a359bfee00337bc9c6d23c2cb88737ac9b61c8
-
SHA256
7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7
-
SHA512
91e4f72900f10e39901cb4c3ca5f1d39d4f61501dc9b709ce03c55010606e341be5359252cc1d9a253a3f746af40321ca3a23a91d63dc69cd9b730110773b315
Malware Config
Extracted
Family |
trickbot |
Version |
2000030 |
Botnet |
tot112 |
C2 |
196.43.106.38:443 186.97.172.178:443 37.228.70.134:443 144.48.139.206:443 190.110.179.139:443 172.105.15.152:443 177.67.137.111:443 27.72.107.215:443 186.66.15.10:443 189.206.78.155:443 202.131.227.229:443 185.9.187.10:443 196.41.57.46:443 212.200.25.118:443 197.254.14.238:443 45.229.71.211:443 181.167.217.53:443 181.129.116.58:443 185.189.55.207:443 172.104.241.29:443 14.241.244.60:443 144.48.138.213:443 202.138.242.7:443 202.166.196.111:443 36.94.100.202:443 187.19.167.233:443 181.129.242.202:443 36.94.27.124:443 43.245.216.116:443 186.225.63.18:443 41.77.134.250:443 |
Attributes |
autorun Name:pwgrabb Name:pwgrabc |
ecc_pubkey.base64 |
|
Signatures
-
Looks up external IP address via web service ⋅ 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org -
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 568 wermgr.exe -
Suspicious use of WriteProcessMemory ⋅ 14 IoCs
Processes:
1a5f3ca6597fcccd3295ead4d22ce70b.exedescription pid process target process PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/568-65-0x0000000000060000-0x0000000000089000-memory.dmp
-
memory/568-66-0x00000000000A0000-0x00000000000A1000-memory.dmp
-
memory/1052-60-0x0000000074D91000-0x0000000074D93000-memory.dmp
-
memory/1052-61-0x0000000000260000-0x00000000002A9000-memory.dmp
-
memory/1052-62-0x00000000000F0000-0x0000000000101000-memory.dmp
-
memory/1052-63-0x0000000010001000-0x0000000010003000-memory.dmp