Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
01711d67f997b7d97e256a2b257801ca.exe
Resource
win7-en-20210920
General
-
Target
01711d67f997b7d97e256a2b257801ca.exe
-
Size
516KB
-
MD5
01711d67f997b7d97e256a2b257801ca
-
SHA1
769693477473f26fc8917c9c091147b9220746a8
-
SHA256
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
-
SHA512
eedd6438d65d0323850e92f96d4039238cdf3f7aed783f1254db14a7e0ce09dfe149f2545b4d104f3a0ce413a7f9a51b9183197f4214a231227bc347c9bab2e3
Malware Config
Extracted
trickbot
2000033
tot153
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1380 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
01711d67f997b7d97e256a2b257801ca.exepid process 1984 01711d67f997b7d97e256a2b257801ca.exe 1984 01711d67f997b7d97e256a2b257801ca.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
01711d67f997b7d97e256a2b257801ca.exedescription pid process target process PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe PID 1984 wrote to memory of 1464 1984 01711d67f997b7d97e256a2b257801ca.exe cmd.exe PID 1984 wrote to memory of 1464 1984 01711d67f997b7d97e256a2b257801ca.exe cmd.exe PID 1984 wrote to memory of 1464 1984 01711d67f997b7d97e256a2b257801ca.exe cmd.exe PID 1984 wrote to memory of 1464 1984 01711d67f997b7d97e256a2b257801ca.exe cmd.exe PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe PID 1984 wrote to memory of 1380 1984 01711d67f997b7d97e256a2b257801ca.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01711d67f997b7d97e256a2b257801ca.exe"C:\Users\Admin\AppData\Local\Temp\01711d67f997b7d97e256a2b257801ca.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1380-64-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1380-63-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1984-54-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/1984-55-0x00000000003B0000-0x00000000003EF000-memory.dmpFilesize
252KB
-
memory/1984-58-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/1984-59-0x0000000000490000-0x00000000004CB000-memory.dmpFilesize
236KB
-
memory/1984-61-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1984-60-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB