Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 17:46
Static task
static1
Behavioral task
behavioral1
Sample
7bb8f00948d80dc7a3936c4c1fa2b276.exe
Resource
win7v20210408
General
-
Target
7bb8f00948d80dc7a3936c4c1fa2b276.exe
-
Size
516KB
-
MD5
7bb8f00948d80dc7a3936c4c1fa2b276
-
SHA1
e60d2828c4a5716d1d96ba1a141e239a2df374f8
-
SHA256
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
-
SHA512
ac507e6050da30a7b2a8867d6acf384925105fbb3d325d578de7997a1d1f3284071486d42caeea4274bbbef182fc966d0d2e130786c576d54be17ea3307ff298
Malware Config
Extracted
trickbot
2000033
tot153
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip.anysrc.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2428 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7bb8f00948d80dc7a3936c4c1fa2b276.exepid process 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7bb8f00948d80dc7a3936c4c1fa2b276.exedescription pid process target process PID 2352 wrote to memory of 2428 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2352 wrote to memory of 2428 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2352 wrote to memory of 2620 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2352 wrote to memory of 2620 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe cmd.exe PID 2352 wrote to memory of 2428 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe PID 2352 wrote to memory of 2428 2352 7bb8f00948d80dc7a3936c4c1fa2b276.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe"C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2352-115-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/2352-118-0x00000000024C0000-0x00000000024FC000-memory.dmpFilesize
240KB
-
memory/2352-119-0x0000000002640000-0x000000000267B000-memory.dmpFilesize
236KB
-
memory/2352-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2352-120-0x0000000000630000-0x00000000006BE000-memory.dmpFilesize
568KB
-
memory/2428-122-0x0000000000000000-mapping.dmp
-
memory/2428-123-0x0000020B6BE10000-0x0000020B6BE39000-memory.dmpFilesize
164KB
-
memory/2428-124-0x0000020B6BE50000-0x0000020B6BE51000-memory.dmpFilesize
4KB