Analysis
-
max time kernel
105s -
max time network
14s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe
Resource
win7-en-20211208
General
-
Target
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe
-
Size
874KB
-
MD5
5e0303742e801bb71ba15f5895acbe8c
-
SHA1
91270cb84c2a40ed488b4ca363f1db06b7edc589
-
SHA256
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
-
SHA512
63ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
Malware Config
Extracted
trickbot
1000477
trg88889
37.44.212.148:443
185.65.202.127:443
193.37.212.246:443
193.124.191.243:443
31.148.99.63:443
94.103.91.61:443
203.23.128.179:443
179.43.147.72:443
93.123.73.192:443
51.89.115.120:443
144.91.76.214:443
46.21.153.81:443
194.5.250.98:443
190.154.203.218:449
178.183.150.169:449
200.116.199.10:449
181.113.20.186:449
187.58.56.26:449
85.11.116.194:449
177.103.240.149:449
81.190.160.139:449
200.21.51.38:449
181.49.61.237:449
46.174.235.36:449
91.232.52.187:449
36.89.85.103:449
31.128.13.45:449
186.42.185.10:449
170.233.120.53:449
89.228.243.148:449
31.214.138.207:449
186.42.98.254:449
195.93.223.100:449
181.112.52.26:449
190.13.160.19:449
186.47.122.182:449
186.71.150.23:449
190.152.4.98:449
170.82.156.53:449
131.161.253.190:449
181.113.114.50:449
186.47.121.58:449
185.70.182.162:449
200.127.121.99:449
45.235.213.126:449
-
autorunControl:GetSystemInfoName:systeminfoName:pwgrab
Signatures
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1612-61-0x0000000000360000-0x000000000038E000-memory.dmp trickbot_loader32 behavioral1/memory/1612-63-0x00000000002C0000-0x00000000002EC000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
すすのは抱べも私.exeすすのは抱べも私.exepid process 1612 すすのは抱べも私.exe 1568 すすのは抱べも私.exe -
Loads dropped DLL 2 IoCs
Processes:
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exepid process 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1120 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exeすすのは抱べも私.exeすすのは抱べも私.exepid process 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe 1612 すすのは抱べも私.exe 1612 すすのは抱べも私.exe 1568 すすのは抱べも私.exe 1568 すすのは抱べも私.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exeすすのは抱べも私.exetaskeng.exeすすのは抱べも私.exedescription pid process target process PID 1268 wrote to memory of 1612 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe すすのは抱べも私.exe PID 1268 wrote to memory of 1612 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe すすのは抱べも私.exe PID 1268 wrote to memory of 1612 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe すすのは抱べも私.exe PID 1268 wrote to memory of 1612 1268 bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe すすのは抱べも私.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 1612 wrote to memory of 972 1612 すすのは抱べも私.exe svchost.exe PID 788 wrote to memory of 1568 788 taskeng.exe すすのは抱べも私.exe PID 788 wrote to memory of 1568 788 taskeng.exe すすのは抱べも私.exe PID 788 wrote to memory of 1568 788 taskeng.exe すすのは抱べも私.exe PID 788 wrote to memory of 1568 788 taskeng.exe すすのは抱べも私.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe PID 1568 wrote to memory of 1120 1568 すすのは抱べも私.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe"C:\Users\Admin\AppData\Local\Temp\bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\すすのは抱べも私.exe"C:\ProgramData\すすのは抱べも私.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AAE26F00-494D-473A-9128-988208F918DE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exeC:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
C:\ProgramData\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
\ProgramData\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
\ProgramData\すすのは抱べも私.exeMD5
5e0303742e801bb71ba15f5895acbe8c
SHA191270cb84c2a40ed488b4ca363f1db06b7edc589
SHA256bbe02e749c9d0d47527a268418fd354f4bf7351657e25cdc5e7dd79ee5a32b41
SHA51263ea8a5dfdc1022e4038985a27462c41b52375e0177167a8f5ca8a785ad5bc0b33a4cf026328343743c7db56900bdef9a981bd0cd01e64f2e14181a9b211a61d
-
memory/972-65-0x0000000000060000-0x000000000007E000-memory.dmpFilesize
120KB
-
memory/1120-71-0x0000000000060000-0x000000000007E000-memory.dmpFilesize
120KB
-
memory/1268-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1612-61-0x0000000000360000-0x000000000038E000-memory.dmpFilesize
184KB
-
memory/1612-63-0x00000000002C0000-0x00000000002EC000-memory.dmpFilesize
176KB