Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 21:56
Static task
static1
Behavioral task
behavioral1
Sample
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
Resource
win7-en-20211208
General
-
Target
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
-
Size
877KB
-
MD5
10e016270a6ac608389ad0c77ed522bf
-
SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d
-
SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
-
SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b
Malware Config
Extracted
trickbot
1000479
trgt98888
192.3.104.46:443
23.94.233.210:443
172.82.152.126:443
192.3.247.11:443
202.29.215.114:449
-
autorunControl:GetSystemInfoName:systeminfoName:pwgrab
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3916-120-0x0000000002290000-0x00000000022BD000-memory.dmp trickbot_loader32 behavioral2/memory/3916-122-0x0000000002260000-0x000000000228C000-memory.dmp trickbot_loader32 behavioral2/memory/1296-130-0x0000000000600000-0x000000000074A000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
있서래처길모고른든.exe있서래처길모고른든.exepid process 3916 있서래처길모고른든.exe 1296 있서래처길모고른든.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 376 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exe있서래처길모고른든.exepid process 1908 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe 1908 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe 3916 있서래처길모고른든.exe 3916 있서래처길모고른든.exe 1296 있서래처길모고른든.exe 1296 있서래처길모고른든.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exe있서래처길모고른든.exedescription pid process target process PID 1908 wrote to memory of 3916 1908 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe 있서래처길모고른든.exe PID 1908 wrote to memory of 3916 1908 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe 있서래처길모고른든.exe PID 1908 wrote to memory of 3916 1908 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe 있서래처길모고른든.exe PID 3916 wrote to memory of 60 3916 있서래처길모고른든.exe svchost.exe PID 3916 wrote to memory of 60 3916 있서래처길모고른든.exe svchost.exe PID 3916 wrote to memory of 60 3916 있서래처길모고른든.exe svchost.exe PID 3916 wrote to memory of 60 3916 있서래처길모고른든.exe svchost.exe PID 1296 wrote to memory of 376 1296 있서래처길모고른든.exe svchost.exe PID 1296 wrote to memory of 376 1296 있서래처길모고른든.exe svchost.exe PID 1296 wrote to memory of 376 1296 있서래처길모고른든.exe svchost.exe PID 1296 wrote to memory of 376 1296 있서래처길모고른든.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe"C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\있서래처길모고른든.exe"C:\ProgramData\있서래처길모고른든.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exeC:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\있서래처길모고른든.exeMD5
10e016270a6ac608389ad0c77ed522bf
SHA126b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b
-
C:\ProgramData\있서래처길모고른든.exeMD5
10e016270a6ac608389ad0c77ed522bf
SHA126b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b
-
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exeMD5
10e016270a6ac608389ad0c77ed522bf
SHA126b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b
-
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exeMD5
10e016270a6ac608389ad0c77ed522bf
SHA126b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b
-
memory/60-125-0x000001C2D6D10000-0x000001C2D6D2E000-memory.dmpFilesize
120KB
-
memory/376-133-0x000001733BFA0000-0x000001733BFBE000-memory.dmpFilesize
120KB
-
memory/1296-130-0x0000000000600000-0x000000000074A000-memory.dmpFilesize
1.3MB
-
memory/3916-120-0x0000000002290000-0x00000000022BD000-memory.dmpFilesize
180KB
-
memory/3916-122-0x0000000002260000-0x000000000228C000-memory.dmpFilesize
176KB