Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
b0374a561a84b6685f9ce634afc0b0c3.exe
Resource
win7v20210408
General
-
Target
b0374a561a84b6685f9ce634afc0b0c3.exe
-
Size
360KB
-
MD5
b0374a561a84b6685f9ce634afc0b0c3
-
SHA1
b9fa7a881ac8d5105daed61f415331e3719ff0b8
-
SHA256
f5a6c24ef3c67f207f67b7d32c1e0af187461760796e2c5bd8a17bb9ffeda8b3
-
SHA512
38ecca8436e77720389c9a94a1f23e1fa9ab323c62c8e91a243c16b7f2639307a3e04ad52f656b81466e7ba959ce0753094b80532fcac935b891ed0335886931
Malware Config
Extracted
trickbot
2000033
lib152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.amazonaws.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2000 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b0374a561a84b6685f9ce634afc0b0c3.exepid process 1972 b0374a561a84b6685f9ce634afc0b0c3.exe 1972 b0374a561a84b6685f9ce634afc0b0c3.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
b0374a561a84b6685f9ce634afc0b0c3.exedescription pid process target process PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe PID 1972 wrote to memory of 1992 1972 b0374a561a84b6685f9ce634afc0b0c3.exe cmd.exe PID 1972 wrote to memory of 1992 1972 b0374a561a84b6685f9ce634afc0b0c3.exe cmd.exe PID 1972 wrote to memory of 1992 1972 b0374a561a84b6685f9ce634afc0b0c3.exe cmd.exe PID 1972 wrote to memory of 1992 1972 b0374a561a84b6685f9ce634afc0b0c3.exe cmd.exe PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe PID 1972 wrote to memory of 2000 1972 b0374a561a84b6685f9ce634afc0b0c3.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0374a561a84b6685f9ce634afc0b0c3.exe"C:\Users\Admin\AppData\Local\Temp\b0374a561a84b6685f9ce634afc0b0c3.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-60-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/1972-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1972-64-0x0000000000360000-0x000000000039D000-memory.dmpFilesize
244KB
-
memory/1972-65-0x0000000001F40000-0x0000000001F7B000-memory.dmpFilesize
236KB
-
memory/1972-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1972-66-0x00000000003D0000-0x00000000003E1000-memory.dmpFilesize
68KB
-
memory/2000-68-0x0000000000000000-mapping.dmp
-
memory/2000-69-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/2000-70-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB