Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:25
Static task
static1
Behavioral task
behavioral1
Sample
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
Resource
win7-en-20211208
General
-
Target
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
-
Size
977KB
-
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2
-
SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638
-
SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
-
SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc
Malware Config
Extracted
trickbot
1000475
trgeu1
45.80.148.30:443
194.5.250.83:443
185.222.202.223:443
66.55.71.11:443
94.156.144.3:443
185.244.150.142:443
194.5.250.82:443
31.184.253.37:443
109.234.34.135:443
45.66.11.116:443
185.222.202.222:443
46.30.41.229:443
45.142.213.58:443
190.154.203.218:449
189.80.134.122:449
200.116.199.10:449
181.113.20.186:449
187.58.56.26:449
85.11.116.194:449
177.103.240.149:449
81.190.160.139:449
200.21.51.38:449
181.49.61.237:449
185.79.243.37:449
89.25.238.170:449
36.89.85.103:449
45.161.33.88:449
186.42.185.10:449
170.233.120.53:449
78.88.188.42:449
31.214.138.207:449
186.42.98.254:449
195.93.223.100:449
185.79.242.204:449
190.13.160.19:449
188.137.81.201:449
170.84.78.117:449
190.152.4.98:449
5.185.67.137:449
138.185.25.228:449
200.35.56.81:449
186.42.186.202:449
185.70.182.162:449
91.207.185.73:449
181.129.49.98:449
181.115.168.69:449
-
autorunControl:GetSystemInfoName:systeminfoName:pwgrab
Signatures
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1908-126-0x0000000002150000-0x000000000217E000-memory.dmp trickbot_loader32 behavioral2/memory/1524-142-0x0000000000D50000-0x0000000000D7C000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
вгббН.exeооиаа.exeвгббН.exepid process 1908 вгббН.exe 656 ооиаа.exe 1524 вгббН.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 748 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exeвгббН.exepid process 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe 1908 вгббН.exe 1908 вгббН.exe 1524 вгббН.exe 1524 вгббН.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exeвгббН.exedescription pid process target process PID 3532 wrote to memory of 1908 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe вгббН.exe PID 3532 wrote to memory of 1908 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe вгббН.exe PID 3532 wrote to memory of 1908 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe вгббН.exe PID 3532 wrote to memory of 656 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe ооиаа.exe PID 3532 wrote to memory of 656 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe ооиаа.exe PID 3532 wrote to memory of 656 3532 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe ооиаа.exe PID 1908 wrote to memory of 3588 1908 вгббН.exe svchost.exe PID 1908 wrote to memory of 3588 1908 вгббН.exe svchost.exe PID 1908 wrote to memory of 3588 1908 вгббН.exe svchost.exe PID 1908 wrote to memory of 3588 1908 вгббН.exe svchost.exe PID 1524 wrote to memory of 748 1524 вгббН.exe svchost.exe PID 1524 wrote to memory of 748 1524 вгббН.exe svchost.exe PID 1524 wrote to memory of 748 1524 вгббН.exe svchost.exe PID 1524 wrote to memory of 748 1524 вгббН.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe"C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\вгббН.exe"C:\ProgramData\вгббН.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\ProgramData\ооиаа.exe"C:\ProgramData\ооиаа.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exeC:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\вгббН.exeMD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA51236e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc
-
C:\ProgramData\вгббН.exeMD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA51236e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc
-
C:\ProgramData\ооиаа.exeMD5
2c24eaad1af80b2320c8eca59208b9e3
SHA1354a2eb38a26dc7b035b439385a572b5f7ec72ed
SHA256295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c
SHA512b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519
-
C:\ProgramData\ооиаа.exeMD5
2c24eaad1af80b2320c8eca59208b9e3
SHA1354a2eb38a26dc7b035b439385a572b5f7ec72ed
SHA256295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c
SHA512b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519
-
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exeMD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA51236e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc
-
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exeMD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA51236e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc
-
memory/656-130-0x0000000000490000-0x0000000000498000-memory.dmpFilesize
32KB
-
memory/656-131-0x0000000005280000-0x000000000577E000-memory.dmpFilesize
5.0MB
-
memory/656-132-0x0000000004CD0000-0x0000000004D62000-memory.dmpFilesize
584KB
-
memory/656-133-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/656-134-0x0000000004E50000-0x0000000004E5A000-memory.dmpFilesize
40KB
-
memory/748-147-0x0000016B9EC90000-0x0000016B9ECAE000-memory.dmpFilesize
120KB
-
memory/1524-142-0x0000000000D50000-0x0000000000D7C000-memory.dmpFilesize
176KB
-
memory/1908-129-0x0000000000720000-0x0000000002143000-memory.dmpFilesize
26.1MB
-
memory/1908-126-0x0000000002150000-0x000000000217E000-memory.dmpFilesize
184KB
-
memory/3588-137-0x000001C9936B0000-0x000001C9936CE000-memory.dmpFilesize
120KB