Analysis
-
max time kernel
43s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-06-2021 15:20
Static task
static1
Behavioral task
behavioral1
Sample
1a5f3ca6597fcccd3295ead4d22ce70b.exe
Resource
win7v20210410
General
-
Target
1a5f3ca6597fcccd3295ead4d22ce70b.exe
-
Size
540KB
-
MD5
1a5f3ca6597fcccd3295ead4d22ce70b
-
SHA1
31a359bfee00337bc9c6d23c2cb88737ac9b61c8
-
SHA256
7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7
-
SHA512
91e4f72900f10e39901cb4c3ca5f1d39d4f61501dc9b709ce03c55010606e341be5359252cc1d9a253a3f746af40321ca3a23a91d63dc69cd9b730110773b315
Malware Config
Extracted
trickbot
2000030
tot112
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1560 wermgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1a5f3ca6597fcccd3295ead4d22ce70b.exedescription pid process target process PID 1072 wrote to memory of 1156 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 1156 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 1156 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 1156 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 836 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 836 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 836 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 836 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1072 wrote to memory of 1560 1072 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-59-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1072-60-0x0000000000070000-0x00000000000B9000-memory.dmpFilesize
292KB
-
memory/1072-61-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/1072-62-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1560-63-0x0000000000000000-mapping.dmp
-
memory/1560-64-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1560-65-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB