Analysis
-
max time kernel
161s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 19:05
Static task
static1
Behavioral task
behavioral1
Sample
4f053a76df955f3f5ef9b20b027d1fa2.exe
Resource
win7-en-20210920
General
-
Target
4f053a76df955f3f5ef9b20b027d1fa2.exe
-
Size
360KB
-
MD5
4f053a76df955f3f5ef9b20b027d1fa2
-
SHA1
ddbf7761ad0409f0228799b231be600ca2d24f12
-
SHA256
5ee35bd407af70ebadd34ca4ee64eb7b9fea5355f805e813cac1f20917f0f951
-
SHA512
8dd0ccb14d6f7f93e880bfd6c74a3c34538a67800f0fc56aa1d74dd1337909648f100024ffefd1cb5f0108ad3d84e2cc2e567ad2ce8463989305d48c794f091b
Malware Config
Extracted
trickbot
2000033
tot152
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipecho.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1092 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4f053a76df955f3f5ef9b20b027d1fa2.exepid process 996 4f053a76df955f3f5ef9b20b027d1fa2.exe 996 4f053a76df955f3f5ef9b20b027d1fa2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4f053a76df955f3f5ef9b20b027d1fa2.exedescription pid process target process PID 996 wrote to memory of 1092 996 4f053a76df955f3f5ef9b20b027d1fa2.exe wermgr.exe PID 996 wrote to memory of 1092 996 4f053a76df955f3f5ef9b20b027d1fa2.exe wermgr.exe PID 996 wrote to memory of 1216 996 4f053a76df955f3f5ef9b20b027d1fa2.exe cmd.exe PID 996 wrote to memory of 1216 996 4f053a76df955f3f5ef9b20b027d1fa2.exe cmd.exe PID 996 wrote to memory of 1092 996 4f053a76df955f3f5ef9b20b027d1fa2.exe wermgr.exe PID 996 wrote to memory of 1092 996 4f053a76df955f3f5ef9b20b027d1fa2.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f053a76df955f3f5ef9b20b027d1fa2.exe"C:\Users\Admin\AppData\Local\Temp\4f053a76df955f3f5ef9b20b027d1fa2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/996-114-0x0000000002BE0000-0x0000000002C1F000-memory.dmpFilesize
252KB
-
memory/996-117-0x0000000002650000-0x000000000268D000-memory.dmpFilesize
244KB
-
memory/996-118-0x0000000002C20000-0x0000000002C5B000-memory.dmpFilesize
236KB
-
memory/996-120-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/996-119-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/1092-121-0x0000000000000000-mapping.dmp
-
memory/1092-123-0x00000223B77B0000-0x00000223B77B1000-memory.dmpFilesize
4KB
-
memory/1092-122-0x00000223B76A0000-0x00000223B76C9000-memory.dmpFilesize
164KB