Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
Resource
win7-20220414-en
General
-
Target
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
-
Size
424KB
-
MD5
a28604cbd7a845fe3bae400f76ae4046
-
SHA1
2bb828db31142a0d03b1f646375b688e130f6ee0
-
SHA256
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71
-
SHA512
804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655
Malware Config
Extracted
trickbot
1000498
wmd38
5.182.210.226:443
82.146.62.52:443
164.68.120.56:443
185.11.146.86:443
5.2.78.70:443
185.65.202.240:443
193.26.217.243:443
81.177.180.254:443
5.34.177.40:443
185.186.77.222:443
188.227.84.209:443
185.45.193.76:443
46.229.213.27:443
88.99.112.87:443
51.254.164.240:443
45.148.120.13:443
5.2.78.77:443
64.44.51.125:443
107.172.165.149:443
45.148.120.14:443
190.214.13.2:449
181.140.173.186:449
181.129.104.139:449
181.113.28.146:449
181.112.157.42:449
170.84.78.224:449
200.21.51.38:449
46.174.235.36:449
36.89.85.103:449
181.129.134.18:449
186.71.150.23:449
131.161.253.190:449
200.127.121.99:449
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
202.29.215.114:449
180.180.216.177:449
171.100.142.238:449
186.232.91.240:449
181.196.207.202:449
-
autorunName:pwgrab
Signatures
-
Dave packer 3 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/4220-130-0x00000000022C0000-0x00000000022F5000-memory.dmp dave behavioral2/memory/4220-134-0x0000000002280000-0x00000000022B2000-memory.dmp dave behavioral2/memory/3032-138-0x0000000002190000-0x00000000021C5000-memory.dmp dave -
Executes dropped EXE 1 IoCs
Processes:
قا嗶δηнг.exepid process 3032 قا嗶δηнг.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exeقا嗶δηнг.exepid process 4220 aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe 4220 aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe 3032 قا嗶δηнг.exe 3032 قا嗶δηнг.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exeقا嗶δηнг.exedescription pid process target process PID 4220 wrote to memory of 3032 4220 aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe قا嗶δηнг.exe PID 4220 wrote to memory of 3032 4220 aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe قا嗶δηнг.exe PID 4220 wrote to memory of 3032 4220 aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe قا嗶δηнг.exe PID 3032 wrote to memory of 2036 3032 قا嗶δηнг.exe svchost.exe PID 3032 wrote to memory of 2036 3032 قا嗶δηнг.exe svchost.exe PID 3032 wrote to memory of 2036 3032 قا嗶δηнг.exe svchost.exe PID 3032 wrote to memory of 2036 3032 قا嗶δηнг.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe"C:\Users\Admin\AppData\Local\Temp\aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\قا嗶δηнг.exe"C:\ProgramData\قا嗶δηнг.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\قا嗶δηнг.exeFilesize
424KB
MD5a28604cbd7a845fe3bae400f76ae4046
SHA12bb828db31142a0d03b1f646375b688e130f6ee0
SHA256aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71
SHA512804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655
-
C:\ProgramData\قا嗶δηнг.exeFilesize
424KB
MD5a28604cbd7a845fe3bae400f76ae4046
SHA12bb828db31142a0d03b1f646375b688e130f6ee0
SHA256aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71
SHA512804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655
-
memory/2036-145-0x0000000000000000-mapping.dmp
-
memory/2036-147-0x000001AF44E60000-0x000001AF44E82000-memory.dmpFilesize
136KB
-
memory/3032-135-0x0000000000000000-mapping.dmp
-
memory/3032-138-0x0000000002190000-0x00000000021C5000-memory.dmpFilesize
212KB
-
memory/3032-142-0x0000000002250000-0x0000000002281000-memory.dmpFilesize
196KB
-
memory/3032-143-0x00000000021D0000-0x0000000002201000-memory.dmpFilesize
196KB
-
memory/3032-144-0x0000000002251000-0x0000000002281000-memory.dmpFilesize
192KB
-
memory/3032-146-0x0000000010001000-0x0000000010006000-memory.dmpFilesize
20KB
-
memory/3032-148-0x0000000002251000-0x0000000002281000-memory.dmpFilesize
192KB
-
memory/4220-134-0x0000000002280000-0x00000000022B2000-memory.dmpFilesize
200KB
-
memory/4220-130-0x00000000022C0000-0x00000000022F5000-memory.dmpFilesize
212KB