Analysis
-
max time kernel
107s -
max time network
196s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-09-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
a3276a6edd8cdf35e28c69e98fac25a9.exe
Resource
win7v20210408
General
-
Target
a3276a6edd8cdf35e28c69e98fac25a9.exe
-
Size
356KB
-
MD5
a3276a6edd8cdf35e28c69e98fac25a9
-
SHA1
81c733ca47319a818bb1b9ef138c58bf4f715147
-
SHA256
d825da453d80559eabf1d90dc46af91ce1a05448b4583d963e6fd3d05f87f208
-
SHA512
71f290b4b3fbece1816a58d63208cefb87bf02a47150db1a9e8715a1d8aec6195ea9a76a3d27be4cfea55974d98ab737f1f155d3d35c219aebe2d25a993ba7df
Malware Config
Extracted
trickbot
100019
lip124
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ident.me 10 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 432 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a3276a6edd8cdf35e28c69e98fac25a9.exepid process 332 a3276a6edd8cdf35e28c69e98fac25a9.exe 332 a3276a6edd8cdf35e28c69e98fac25a9.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a3276a6edd8cdf35e28c69e98fac25a9.exedescription pid process target process PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe PID 332 wrote to memory of 860 332 a3276a6edd8cdf35e28c69e98fac25a9.exe cmd.exe PID 332 wrote to memory of 860 332 a3276a6edd8cdf35e28c69e98fac25a9.exe cmd.exe PID 332 wrote to memory of 860 332 a3276a6edd8cdf35e28c69e98fac25a9.exe cmd.exe PID 332 wrote to memory of 860 332 a3276a6edd8cdf35e28c69e98fac25a9.exe cmd.exe PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe PID 332 wrote to memory of 432 332 a3276a6edd8cdf35e28c69e98fac25a9.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3276a6edd8cdf35e28c69e98fac25a9.exe"C:\Users\Admin\AppData\Local\Temp\a3276a6edd8cdf35e28c69e98fac25a9.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-60-0x0000000001F10000-0x0000000001F4E000-memory.dmpFilesize
248KB
-
memory/332-63-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/332-64-0x0000000000270000-0x00000000002AC000-memory.dmpFilesize
240KB
-
memory/332-65-0x0000000001F50000-0x0000000001F8A000-memory.dmpFilesize
232KB
-
memory/332-66-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/332-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/432-68-0x0000000000000000-mapping.dmp
-
memory/432-69-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/432-70-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB