Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 08:48
Static task
static1
Behavioral task
behavioral1
Sample
00bf75d02bb1e16a1a09d4ff964b1a36.exe
Resource
win7v20210408
General
-
Target
00bf75d02bb1e16a1a09d4ff964b1a36.exe
-
Size
356KB
-
MD5
00bf75d02bb1e16a1a09d4ff964b1a36
-
SHA1
a152d09a6a90d41fc29dc64b9c5c3360ab4ebf9a
-
SHA256
fac96a62fc74193e1b2d5af32673077eaed3028a5477ab676aeac2943f81c6c0
-
SHA512
072fcd69e08b6db309dc06e0a0dcc95d72d80e851ecf0f5aafa8dd28fe4d4d5af5dedd32f3f88533a55a8b4cc27e237d47dc65642040991f56ecfa187de69572
Malware Config
Extracted
trickbot
100019
top124
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4124 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
00bf75d02bb1e16a1a09d4ff964b1a36.exepid process 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00bf75d02bb1e16a1a09d4ff964b1a36.exedescription pid process target process PID 3084 wrote to memory of 4124 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe wermgr.exe PID 3084 wrote to memory of 4124 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe wermgr.exe PID 3084 wrote to memory of 3292 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe cmd.exe PID 3084 wrote to memory of 3292 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe cmd.exe PID 3084 wrote to memory of 4124 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe wermgr.exe PID 3084 wrote to memory of 4124 3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00bf75d02bb1e16a1a09d4ff964b1a36.exe"C:\Users\Admin\AppData\Local\Temp\00bf75d02bb1e16a1a09d4ff964b1a36.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3084-115-0x0000000002590000-0x00000000025CE000-memory.dmpFilesize
248KB
-
memory/3084-118-0x0000000002550000-0x000000000258C000-memory.dmpFilesize
240KB
-
memory/3084-119-0x0000000002D50000-0x0000000002D8A000-memory.dmpFilesize
232KB
-
memory/3084-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3084-120-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/4124-122-0x0000000000000000-mapping.dmp
-
memory/4124-123-0x000001A7647F0000-0x000001A764819000-memory.dmpFilesize
164KB
-
memory/4124-124-0x000001A764830000-0x000001A764831000-memory.dmpFilesize
4KB