Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Documents.tmp.dll
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Documents.tmp.dll
Resource
win10-en-20211014
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
0c87cf536140349af097d10fd388e8d8
-
SHA1
a8e880685cf6cce8c3d254de7420649fa4e881b8
-
SHA256
d43f97b1e8bc5537b0820c22abaab7fee4747767464cdfbef6758b678c998331
-
SHA512
63589bfde2c1211553ddd64f4c77c6f3a06a2576edd25aad67936f77735d35152f025c029aeefb2427d12e1eaa565794774f49da131fee7f68829002373b1a2e
Malware Config
Extracted
trickbot
100019
leg1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1916 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 612 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 wtfismyip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1928 wermgr.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.execmd.exerundll32.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 1916 1988 cmd.exe cmd.exe PID 1988 wrote to memory of 1916 1988 cmd.exe cmd.exe PID 1988 wrote to memory of 1916 1988 cmd.exe cmd.exe PID 1916 wrote to memory of 268 1916 cmd.exe xcopy.exe PID 1916 wrote to memory of 268 1916 cmd.exe xcopy.exe PID 1916 wrote to memory of 268 1916 cmd.exe xcopy.exe PID 1916 wrote to memory of 668 1916 cmd.exe rundll32.exe PID 1916 wrote to memory of 668 1916 cmd.exe rundll32.exe PID 1916 wrote to memory of 668 1916 cmd.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 612 668 rundll32.exe rundll32.exe PID 612 wrote to memory of 1932 612 rundll32.exe cmd.exe PID 612 wrote to memory of 1932 612 rundll32.exe cmd.exe PID 612 wrote to memory of 1932 612 rundll32.exe cmd.exe PID 612 wrote to memory of 1932 612 rundll32.exe cmd.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe PID 612 wrote to memory of 1928 612 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C xcopy /H /y Documents.tmp c:\programdata && start rundll32.exe c:\programdata\Documents.tmp,DllRegisterServer && del Documents.lnk && del Documents.tmp && mkdir Documents && exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /H /y Documents.tmp c:\programdata3⤵
-
C:\Windows\system32\rundll32.exerundll32.exe c:\programdata\Documents.tmp,DllRegisterServer3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\programdata\Documents.tmp,DllRegisterServer4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\Documents.tmpMD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7
SHA1ddaed871b9f95a758b89c856a6d4ccf7751b8103
SHA2567a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7
SHA51246559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13
-
\ProgramData\Documents.tmpMD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7
SHA1ddaed871b9f95a758b89c856a6d4ccf7751b8103
SHA2567a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7
SHA51246559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/612-63-0x00000000020B0000-0x0000000002318000-memory.dmpFilesize
2.4MB
-
memory/612-60-0x0000000000000000-mapping.dmp
-
memory/612-61-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/612-64-0x00000000001B0000-0x00000000001F5000-memory.dmpFilesize
276KB
-
memory/612-65-0x0000000000210000-0x0000000000221000-memory.dmpFilesize
68KB
-
memory/612-66-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/668-58-0x0000000000000000-mapping.dmp
-
memory/1916-56-0x0000000000000000-mapping.dmp
-
memory/1928-67-0x0000000000000000-mapping.dmp
-
memory/1928-69-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1928-68-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1988-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmpFilesize
8KB