Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 08:47
Static task
static1
Behavioral task
behavioral1
Sample
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
Resource
win7v20210408
General
-
Target
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
-
Size
360KB
-
MD5
fba1a412ee72b3eb54c0cbf7e7bf675a
-
SHA1
4497d5fcb93326ec5dc2f516d222b9bb4ff62c11
-
SHA256
1ea718dbbd43c2c38ac983783b74997feab9cf776294398218e49778d5a0983b
-
SHA512
49b163fd58d3b414a6eeb4be4fb05ed09e6cfdbd929e63e26064d7f9b39d4831f8df6e1a044721ea6622d0fc8a7b3b9c9c4f028de7d466e3ab3cdccfe1d812db
Malware Config
Extracted
trickbot
2000033
tot152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ident.me 16 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1320 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exepid process 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exedescription pid process target process PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1820 wrote to memory of 1976 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1820 wrote to memory of 1976 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1820 wrote to memory of 1976 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1820 wrote to memory of 1976 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1820 wrote to memory of 1320 1820 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1320-68-0x0000000000000000-mapping.dmp
-
memory/1320-69-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1320-70-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1820-60-0x0000000000520000-0x000000000055F000-memory.dmpFilesize
252KB
-
memory/1820-63-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1820-64-0x00000000004E0000-0x000000000051D000-memory.dmpFilesize
244KB
-
memory/1820-65-0x0000000001E00000-0x0000000001E3B000-memory.dmpFilesize
236KB
-
memory/1820-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1820-66-0x0000000000560000-0x0000000000571000-memory.dmpFilesize
68KB