Analysis
-
max time kernel
63s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-06-2021 15:20
Static task
static1
Behavioral task
behavioral1
Sample
1a5f3ca6597fcccd3295ead4d22ce70b.exe
Resource
win7v20210410
General
-
Target
1a5f3ca6597fcccd3295ead4d22ce70b.exe
-
Size
540KB
-
MD5
1a5f3ca6597fcccd3295ead4d22ce70b
-
SHA1
31a359bfee00337bc9c6d23c2cb88737ac9b61c8
-
SHA256
7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7
-
SHA512
91e4f72900f10e39901cb4c3ca5f1d39d4f61501dc9b709ce03c55010606e341be5359252cc1d9a253a3f746af40321ca3a23a91d63dc69cd9b730110773b315
Malware Config
Extracted
trickbot
2000030
tot112
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 myexternalip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3164 wermgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1a5f3ca6597fcccd3295ead4d22ce70b.exedescription pid process target process PID 516 wrote to memory of 3396 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 516 wrote to memory of 3396 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 516 wrote to memory of 2908 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 516 wrote to memory of 2908 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 516 wrote to memory of 3164 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 516 wrote to memory of 3164 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 516 wrote to memory of 3164 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 516 wrote to memory of 3164 516 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-114-0x0000000000DE0000-0x0000000000E29000-memory.dmpFilesize
292KB
-
memory/516-116-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/516-115-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/3164-117-0x0000000000000000-mapping.dmp
-
memory/3164-118-0x000001D482D20000-0x000001D482D49000-memory.dmpFilesize
164KB
-
memory/3164-119-0x000001D482D60000-0x000001D482D61000-memory.dmpFilesize
4KB