Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
Resource
win7-20220414-en
General
-
Target
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
-
Size
324KB
-
MD5
b2dc507828839a7be9480788f3070f22
-
SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
-
SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
-
SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb
Malware Config
Extracted
trickbot
1000491
red2
23.94.70.12:443
5.182.210.132:443
5.2.75.137:443
172.82.152.136:443
198.23.252.117:443
194.5.250.62:443
185.14.30.176:443
195.123.245.127:443
195.54.162.179:443
184.164.137.190:443
198.46.161.213:443
64.44.51.106:443
107.172.251.159:443
85.143.220.41:443
107.172.29.108:443
107.172.208.51:443
107.181.187.221:443
190.214.13.2:449
181.140.173.186:449
181.129.104.139:449
181.113.28.146:449
181.112.157.42:449
170.84.78.224:449
200.21.51.38:449
46.174.235.36:449
36.89.85.103:449
181.129.134.18:449
186.71.150.23:449
131.161.253.190:449
200.127.121.99:449
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
202.29.215.114:449
180.180.216.177:449
171.100.142.238:449
186.232.91.240:449
181.196.207.202:449
-
autorunName:pwgrab
Signatures
-
Trickbot x86 loader 4 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/5080-133-0x00000000009C0000-0x00000000009ED000-memory.dmp trickbot_loader32 behavioral2/memory/5080-135-0x0000000000990000-0x00000000009BD000-memory.dmp trickbot_loader32 behavioral2/memory/5080-136-0x00000000009C1000-0x00000000009ED000-memory.dmp trickbot_loader32 behavioral2/memory/2228-143-0x0000000000A01000-0x0000000000A2D000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
ñôâÿûâÛÔ.exeñôâÿûâÛÔ.exepid process 5080 ñôâÿûâÛÔ.exe 2228 ñôâÿûâÛÔ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 4 IoCs
Processes:
ñôâÿûâÛÔ.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\HexEnc\Settings ñôâÿûâÛÔ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications ñôâÿûâÛÔ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\HexEnc ñôâÿûâÛÔ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\HexEnc\Recent File List ñôâÿûâÛÔ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 3704 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exeñôâÿûâÛÔ.exeñôâÿûâÛÔ.exepid process 3176 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe 3176 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe 5080 ñôâÿûâÛÔ.exe 5080 ñôâÿûâÛÔ.exe 2228 ñôâÿûâÛÔ.exe 2228 ñôâÿûâÛÔ.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exeñôâÿûâÛÔ.exeñôâÿûâÛÔ.exedescription pid process target process PID 3176 wrote to memory of 5080 3176 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe ñôâÿûâÛÔ.exe PID 3176 wrote to memory of 5080 3176 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe ñôâÿûâÛÔ.exe PID 3176 wrote to memory of 5080 3176 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe ñôâÿûâÛÔ.exe PID 5080 wrote to memory of 5072 5080 ñôâÿûâÛÔ.exe svchost.exe PID 5080 wrote to memory of 5072 5080 ñôâÿûâÛÔ.exe svchost.exe PID 5080 wrote to memory of 5072 5080 ñôâÿûâÛÔ.exe svchost.exe PID 5080 wrote to memory of 5072 5080 ñôâÿûâÛÔ.exe svchost.exe PID 2228 wrote to memory of 3704 2228 ñôâÿûâÛÔ.exe svchost.exe PID 2228 wrote to memory of 3704 2228 ñôâÿûâÛÔ.exe svchost.exe PID 2228 wrote to memory of 3704 2228 ñôâÿûâÛÔ.exe svchost.exe PID 2228 wrote to memory of 3704 2228 ñôâÿûâÛÔ.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe"C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ñôâÿûâÛÔ.exe"C:\ProgramData\ñôâÿûâÛÔ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exeC:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ñôâÿûâÛÔ.exeFilesize
324KB
MD5b2dc507828839a7be9480788f3070f22
SHA1006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
SHA2567f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
SHA512b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb
-
C:\ProgramData\ñôâÿûâÛÔ.exeFilesize
324KB
MD5b2dc507828839a7be9480788f3070f22
SHA1006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
SHA2567f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
SHA512b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb
-
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exeFilesize
324KB
MD5b2dc507828839a7be9480788f3070f22
SHA1006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
SHA2567f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
SHA512b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb
-
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exeFilesize
324KB
MD5b2dc507828839a7be9480788f3070f22
SHA1006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
SHA2567f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
SHA512b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb
-
memory/2228-144-0x0000000010001000-0x0000000010005000-memory.dmpFilesize
16KB
-
memory/2228-143-0x0000000000A01000-0x0000000000A2D000-memory.dmpFilesize
176KB
-
memory/3704-146-0x00000225BCAA0000-0x00000225BCAC0000-memory.dmpFilesize
128KB
-
memory/3704-145-0x00000225BCAA0000-0x00000225BCAC0000-memory.dmpFilesize
128KB
-
memory/3704-142-0x0000000000000000-mapping.dmp
-
memory/5072-134-0x0000000000000000-mapping.dmp
-
memory/5072-138-0x0000025D8AAE0000-0x0000025D8AB00000-memory.dmpFilesize
128KB
-
memory/5072-137-0x0000025D8AAE0000-0x0000025D8AB00000-memory.dmpFilesize
128KB
-
memory/5080-136-0x00000000009C1000-0x00000000009ED000-memory.dmpFilesize
176KB
-
memory/5080-135-0x0000000000990000-0x00000000009BD000-memory.dmpFilesize
180KB
-
memory/5080-130-0x0000000000000000-mapping.dmp
-
memory/5080-133-0x00000000009C0000-0x00000000009ED000-memory.dmpFilesize
180KB