Analysis
-
max time kernel
137s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 07:29
Static task
static1
Behavioral task
behavioral1
Sample
6d5df1fa0e78c988a0e9aac669ddc78e.exe
Resource
win7-en-20210920
General
-
Target
6d5df1fa0e78c988a0e9aac669ddc78e.exe
-
Size
360KB
-
MD5
6d5df1fa0e78c988a0e9aac669ddc78e
-
SHA1
8e451f3f1244f403e2868f55a8ceee67a95713eb
-
SHA256
cdc1749131ae1052d43c047b8f3bb5a7785fc4ddd231de0d5e3ee8627c6d342f
-
SHA512
5f95559fa48beb05eac713434c0727ac38685044636008b3b1831471797c2700203bd90257c93c667c0722bb54734b54d3741ed8c8f8ea31f0f0d15f8b962469
Malware Config
Extracted
trickbot
2000033
tot152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 668 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6d5df1fa0e78c988a0e9aac669ddc78e.exepid process 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6d5df1fa0e78c988a0e9aac669ddc78e.exedescription pid process target process PID 3260 wrote to memory of 668 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe wermgr.exe PID 3260 wrote to memory of 668 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe wermgr.exe PID 3260 wrote to memory of 3976 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe cmd.exe PID 3260 wrote to memory of 3976 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe cmd.exe PID 3260 wrote to memory of 668 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe wermgr.exe PID 3260 wrote to memory of 668 3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d5df1fa0e78c988a0e9aac669ddc78e.exe"C:\Users\Admin\AppData\Local\Temp\6d5df1fa0e78c988a0e9aac669ddc78e.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/668-121-0x0000000000000000-mapping.dmp
-
memory/668-123-0x0000024DD1130000-0x0000024DD1131000-memory.dmpFilesize
4KB
-
memory/668-122-0x0000024DD1020000-0x0000024DD1049000-memory.dmpFilesize
164KB
-
memory/3260-114-0x0000000002BF0000-0x0000000002C2F000-memory.dmpFilesize
252KB
-
memory/3260-118-0x0000000002C30000-0x0000000002C6B000-memory.dmpFilesize
236KB
-
memory/3260-117-0x0000000002BB0000-0x0000000002BED000-memory.dmpFilesize
244KB
-
memory/3260-119-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/3260-120-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB