Analysis
-
max time kernel
140s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
General
-
Target
sample.exe
-
Size
564KB
-
MD5
06285860cd0beb177a7fb794bf8c1eb6
-
SHA1
c5f84431a2270f0840b29c90302ed8ae4ffcd7b3
-
SHA256
101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636
-
SHA512
618234e3764f0c79461b5d504522e58959d696417d399bc9f3e311a6ca510e3042b55dd9231b6144757d1dc82809c1784c0b955862730385a27129bc9db9f921
Malware Config
Extracted
trickbot
100018
rob110
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1656 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sample.exepid process 1668 sample.exe 1668 sample.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
sample.exedescription pid process target process PID 1668 wrote to memory of 1524 1668 sample.exe cmd.exe PID 1668 wrote to memory of 1524 1668 sample.exe cmd.exe PID 1668 wrote to memory of 1524 1668 sample.exe cmd.exe PID 1668 wrote to memory of 1524 1668 sample.exe cmd.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe PID 1668 wrote to memory of 1656 1668 sample.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1656-67-0x0000000000000000-mapping.dmp
-
memory/1656-68-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1656-69-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1668-59-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1668-60-0x00000000005F0000-0x0000000000631000-memory.dmpFilesize
260KB
-
memory/1668-63-0x00000000005B0000-0x00000000005EF000-memory.dmpFilesize
252KB
-
memory/1668-64-0x0000000001E90000-0x0000000001ECD000-memory.dmpFilesize
244KB
-
memory/1668-65-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1668-66-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB