Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-09-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
esmallruby.png.exe
Resource
win7-en-20210920
General
-
Target
esmallruby.png.exe
-
Size
516KB
-
MD5
b7d73779c34516503f1f4fd180638ece
-
SHA1
6da0fa29200ae2c92cc49eba856cfe6febfbacc6
-
SHA256
444aea051fe6b6be34128ba5f9ca77e92c97cb99225174bc8f8998dbb4993930
-
SHA512
64eba6d388b120ede4cda126d9fbe25e26cb03f66cbbb9af65b2d0f9ba118e3ba73e0c3020f6c9f629302e13f4ae5282eb5073aa8b0948f01cf2de9351a5886c
Malware Config
Extracted
trickbot
2000033
tot153
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3180 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
esmallruby.png.exepid process 2392 esmallruby.png.exe 2392 esmallruby.png.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
esmallruby.png.exedescription pid process target process PID 2392 wrote to memory of 3180 2392 esmallruby.png.exe wermgr.exe PID 2392 wrote to memory of 3180 2392 esmallruby.png.exe wermgr.exe PID 2392 wrote to memory of 2668 2392 esmallruby.png.exe cmd.exe PID 2392 wrote to memory of 2668 2392 esmallruby.png.exe cmd.exe PID 2392 wrote to memory of 3180 2392 esmallruby.png.exe wermgr.exe PID 2392 wrote to memory of 3180 2392 esmallruby.png.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\esmallruby.png.exe"C:\Users\Admin\AppData\Local\Temp\esmallruby.png.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2392-115-0x00000000023E0000-0x000000000241F000-memory.dmpFilesize
252KB
-
memory/2392-119-0x0000000002420000-0x000000000245B000-memory.dmpFilesize
236KB
-
memory/2392-118-0x0000000002380000-0x00000000023BC000-memory.dmpFilesize
240KB
-
memory/2392-120-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/2392-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3180-122-0x0000000000000000-mapping.dmp
-
memory/3180-123-0x00000217FEE80000-0x00000217FEEA9000-memory.dmpFilesize
164KB
-
memory/3180-124-0x00000217FEF90000-0x00000217FEF91000-memory.dmpFilesize
4KB