Analysis
-
max time kernel
127s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 08:47
Static task
static1
Behavioral task
behavioral1
Sample
7992fdcc40a3862cb85c760c8bec72bf.exe
Resource
win7v20210408
General
-
Target
7992fdcc40a3862cb85c760c8bec72bf.exe
-
Size
356KB
-
MD5
7992fdcc40a3862cb85c760c8bec72bf
-
SHA1
2c7124204909efbdb11cc5622da1ea15b2c4d14d
-
SHA256
39babf7e74e70e6989fe2f017a73d32924c2c49e17a5e597b9dc655404499c77
-
SHA512
3f9d0921cbf50dd0978d65d3ffa35e3a9bbbb7356e44f6f34b3a065c45bff46e84a59726eac731d531f95cbb58c2421b7da64c0fc06148a7d8c1945aaae46d82
Malware Config
Extracted
trickbot
100019
top124
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2012 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7992fdcc40a3862cb85c760c8bec72bf.exepid process 1824 7992fdcc40a3862cb85c760c8bec72bf.exe 1824 7992fdcc40a3862cb85c760c8bec72bf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7992fdcc40a3862cb85c760c8bec72bf.exedescription pid process target process PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe PID 1824 wrote to memory of 1524 1824 7992fdcc40a3862cb85c760c8bec72bf.exe cmd.exe PID 1824 wrote to memory of 1524 1824 7992fdcc40a3862cb85c760c8bec72bf.exe cmd.exe PID 1824 wrote to memory of 1524 1824 7992fdcc40a3862cb85c760c8bec72bf.exe cmd.exe PID 1824 wrote to memory of 1524 1824 7992fdcc40a3862cb85c760c8bec72bf.exe cmd.exe PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe PID 1824 wrote to memory of 2012 1824 7992fdcc40a3862cb85c760c8bec72bf.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7992fdcc40a3862cb85c760c8bec72bf.exe"C:\Users\Admin\AppData\Local\Temp\7992fdcc40a3862cb85c760c8bec72bf.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-60-0x0000000001CD0000-0x0000000001D0E000-memory.dmpFilesize
248KB
-
memory/1824-63-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1824-64-0x00000000005F0000-0x000000000062C000-memory.dmpFilesize
240KB
-
memory/1824-65-0x0000000001D30000-0x0000000001D6A000-memory.dmpFilesize
232KB
-
memory/1824-66-0x0000000001C50000-0x0000000001C51000-memory.dmpFilesize
4KB
-
memory/1824-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2012-68-0x0000000000000000-mapping.dmp
-
memory/2012-70-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2012-69-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB