Analysis
-
max time kernel
125s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-09-2021 17:46
Static task
static1
Behavioral task
behavioral1
Sample
7bb8f00948d80dc7a3936c4c1fa2b276.exe
Resource
win7v20210408
General
-
Target
7bb8f00948d80dc7a3936c4c1fa2b276.exe
-
Size
516KB
-
MD5
7bb8f00948d80dc7a3936c4c1fa2b276
-
SHA1
e60d2828c4a5716d1d96ba1a141e239a2df374f8
-
SHA256
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
-
SHA512
ac507e6050da30a7b2a8867d6acf384925105fbb3d325d578de7997a1d1f3284071486d42caeea4274bbbef182fc966d0d2e130786c576d54be17ea3307ff298
Malware Config
Extracted
trickbot
2000033
tot153
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2036 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7bb8f00948d80dc7a3936c4c1fa2b276.exepid process 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7bb8f00948d80dc7a3936c4c1fa2b276.exedescription pid process target process PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2020 wrote to memory of 1068 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2020 wrote to memory of 1068 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2020 wrote to memory of 1068 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2020 wrote to memory of 1068 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2020 wrote to memory of 2036 2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe"C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2020-60-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/2020-61-0x0000000001E10000-0x0000000001E4F000-memory.dmpFilesize
252KB
-
memory/2020-65-0x0000000001F70000-0x0000000001FAB000-memory.dmpFilesize
236KB
-
memory/2020-64-0x0000000000620000-0x000000000065C000-memory.dmpFilesize
240KB
-
memory/2020-66-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/2020-67-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2036-68-0x0000000000000000-mapping.dmp
-
memory/2036-70-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2036-69-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB