Analysis
-
max time kernel
1153s -
max time network
1201s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
Resource
win7-en-20210920
General
-
Target
fba1a412ee72b3eb54c0cbf7e7bf675a.exe
-
Size
360KB
-
MD5
fba1a412ee72b3eb54c0cbf7e7bf675a
-
SHA1
4497d5fcb93326ec5dc2f516d222b9bb4ff62c11
-
SHA256
1ea718dbbd43c2c38ac983783b74997feab9cf776294398218e49778d5a0983b
-
SHA512
49b163fd58d3b414a6eeb4be4fb05ed09e6cfdbd929e63e26064d7f9b39d4831f8df6e1a044721ea6622d0fc8a7b3b9c9c4f028de7d466e3ab3cdccfe1d812db
Malware Config
Extracted
trickbot
2000033
tot152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 ident.me 49 ident.me -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 744 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 4068 svchost.exe 4068 svchost.exe 1268 svchost.exe 1268 svchost.exe 636 svchost.exe 636 svchost.exe 1268 svchost.exe 1268 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1764 wermgr.exe Token: SeDebugPrivilege 4068 svchost.exe Token: SeDebugPrivilege 1268 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exepid process 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fba1a412ee72b3eb54c0cbf7e7bf675a.exewermgr.exedescription pid process target process PID 1644 wrote to memory of 1764 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1644 wrote to memory of 1764 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1644 wrote to memory of 2068 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1644 wrote to memory of 2068 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe cmd.exe PID 1644 wrote to memory of 1764 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1644 wrote to memory of 1764 1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe wermgr.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe PID 1764 wrote to memory of 4068 1764 wermgr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe/c ipconfig /all4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exe/c net config workstation4⤵
-
C:\Windows\system32\net.exenet config workstation5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation6⤵
-
C:\Windows\system32\cmd.exe/c net view /all4⤵
-
C:\Windows\system32\net.exenet view /all5⤵
- Discovers systems in the same network
-
C:\Windows\system32\cmd.exe/c net view /all /domain4⤵
-
C:\Windows\system32\net.exenet view /all /domain5⤵
- Discovers systems in the same network
-
C:\Windows\system32\cmd.exe/c nltest /domain_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts5⤵
-
C:\Windows\system32\cmd.exe/c nltest /domain_trusts /all_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-147-0x0000000000000000-mapping.dmp
-
memory/636-140-0x0000000180000000-0x000000018000A000-memory.dmpFilesize
40KB
-
memory/636-139-0x0000000000000000-mapping.dmp
-
memory/744-144-0x0000000000000000-mapping.dmp
-
memory/1268-133-0x0000000000000000-mapping.dmp
-
memory/1332-150-0x0000000000000000-mapping.dmp
-
memory/1500-143-0x0000000000000000-mapping.dmp
-
memory/1516-146-0x0000000000000000-mapping.dmp
-
memory/1644-120-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1644-114-0x0000000002BF0000-0x0000000002C2F000-memory.dmpFilesize
252KB
-
memory/1644-119-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/1644-118-0x0000000002C30000-0x0000000002C6B000-memory.dmpFilesize
236KB
-
memory/1644-117-0x0000000002BB0000-0x0000000002BED000-memory.dmpFilesize
244KB
-
memory/1764-122-0x000001BF2E1E0000-0x000001BF2E209000-memory.dmpFilesize
164KB
-
memory/1764-123-0x000001BF2E400000-0x000001BF2E401000-memory.dmpFilesize
4KB
-
memory/1764-121-0x0000000000000000-mapping.dmp
-
memory/1800-155-0x0000000000000000-mapping.dmp
-
memory/3092-153-0x0000000000000000-mapping.dmp
-
memory/3148-152-0x0000000000000000-mapping.dmp
-
memory/3160-154-0x0000000000000000-mapping.dmp
-
memory/3164-151-0x0000000000000000-mapping.dmp
-
memory/3336-148-0x0000000000000000-mapping.dmp
-
memory/3728-149-0x0000000000000000-mapping.dmp
-
memory/4040-145-0x0000000000000000-mapping.dmp
-
memory/4068-127-0x000001511A9B0000-0x000001511A9B1000-memory.dmpFilesize
4KB
-
memory/4068-126-0x0000000000000000-mapping.dmp