Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 15:06
Static task
static1
Behavioral task
behavioral1
Sample
bcc84e9ca2d9f96f741272bb800aa08c.exe
Resource
win7-en-20210920
General
-
Target
bcc84e9ca2d9f96f741272bb800aa08c.exe
-
Size
516KB
-
MD5
bcc84e9ca2d9f96f741272bb800aa08c
-
SHA1
b8f55dea9a7708ae9608f3b949874d16db98f228
-
SHA256
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
-
SHA512
e0e00b70f1e4111ef6b8cc56389c35531a696ba6dcc9c18b835e722573c0554dafccb5eb5fcdde7d0fe1da3d41e37600b2354498129e1fd6f47993e88b3bfa44
Malware Config
Extracted
trickbot
2000033
tot153
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ipecho.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1584 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bcc84e9ca2d9f96f741272bb800aa08c.exepid process 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bcc84e9ca2d9f96f741272bb800aa08c.exedescription pid process target process PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe PID 1324 wrote to memory of 1372 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe cmd.exe PID 1324 wrote to memory of 1372 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe cmd.exe PID 1324 wrote to memory of 1372 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe cmd.exe PID 1324 wrote to memory of 1372 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe cmd.exe PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe PID 1324 wrote to memory of 1584 1324 bcc84e9ca2d9f96f741272bb800aa08c.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc84e9ca2d9f96f741272bb800aa08c.exe"C:\Users\Admin\AppData\Local\Temp\bcc84e9ca2d9f96f741272bb800aa08c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1324-53-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/1324-54-0x00000000003B0000-0x00000000003EF000-memory.dmpFilesize
252KB
-
memory/1324-58-0x0000000001DA0000-0x0000000001DDB000-memory.dmpFilesize
236KB
-
memory/1324-57-0x0000000000270000-0x00000000002AC000-memory.dmpFilesize
240KB
-
memory/1324-59-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB
-
memory/1324-60-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1584-61-0x0000000000000000-mapping.dmp
-
memory/1584-62-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1584-63-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB