Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 08:47
Static task
static1
Behavioral task
behavioral1
Sample
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
Resource
win7v20210408
General
-
Target
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
-
Size
360KB
-
MD5
fba1a412ee72b3eb54c0cbf7e7bf675a
-
SHA1
4497d5fcb93326ec5dc2f516d222b9bb4ff62c11
-
SHA256
1ea718dbbd43c2c38ac983783b74997feab9cf776294398218e49778d5a0983b
-
SHA512
49b163fd58d3b414a6eeb4be4fb05ed09e6cfdbd929e63e26064d7f9b39d4831f8df6e1a044721ea6622d0fc8a7b3b9c9c4f028de7d466e3ab3cdccfe1d812db
Malware Config
Extracted
trickbot
2000033
tot152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4160 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exepid process 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exedescription pid process target process PID 3572 wrote to memory of 4160 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 3572 wrote to memory of 4160 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 3572 wrote to memory of 3492 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 3572 wrote to memory of 3492 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 3572 wrote to memory of 4160 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 3572 wrote to memory of 4160 3572 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3572-115-0x0000000002BF0000-0x0000000002C2F000-memory.dmpFilesize
252KB
-
memory/3572-119-0x0000000002C30000-0x0000000002C6B000-memory.dmpFilesize
236KB
-
memory/3572-118-0x0000000002BB0000-0x0000000002BED000-memory.dmpFilesize
244KB
-
memory/3572-120-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/3572-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/4160-122-0x0000000000000000-mapping.dmp
-
memory/4160-124-0x000002B603DC0000-0x000002B603DC1000-memory.dmpFilesize
4KB
-
memory/4160-123-0x000002B603D80000-0x000002B603DA9000-memory.dmpFilesize
164KB