Analysis
-
max time kernel
143s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 03:59
Static task
static1
Behavioral task
behavioral1
Sample
ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe
-
Size
545KB
-
MD5
573835d85e963507b07123fcb20a121b
-
SHA1
9926c45a64b6e85897f35b2e9df226f7ea5e68fd
-
SHA256
ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c
-
SHA512
7bac91e3235a1c46f6b885d18d4cc50c33dbe68c6f7c1daade0dd7c99d6717556d7f6b07d704f9b93974192a1c39879a76a723e3ce9628f9452ba8d7177ca605
Malware Config
Signatures
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1672-54-0x0000000000370000-0x0000000000379000-memory.dmp trickbot_loader32 behavioral1/memory/1672-56-0x0000000000370000-0x0000000000379000-memory.dmp trickbot_loader32 -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 2004 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2004 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.execmd.exedescription pid process target process PID 1672 wrote to memory of 992 1672 ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe cmd.exe PID 1672 wrote to memory of 992 1672 ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe cmd.exe PID 1672 wrote to memory of 992 1672 ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe cmd.exe PID 1672 wrote to memory of 992 1672 ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe cmd.exe PID 992 wrote to memory of 2004 992 cmd.exe powershell.exe PID 992 wrote to memory of 2004 992 cmd.exe powershell.exe PID 992 wrote to memory of 2004 992 cmd.exe powershell.exe PID 992 wrote to memory of 2004 992 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"3⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-55-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000000370000-0x0000000000379000-memory.dmpFilesize
36KB
-
memory/1672-56-0x0000000000370000-0x0000000000379000-memory.dmpFilesize
36KB
-
memory/2004-57-0x0000000000000000-mapping.dmp
-
memory/2004-58-0x00000000763C1000-0x00000000763C3000-memory.dmpFilesize
8KB
-
memory/2004-59-0x0000000073F20000-0x00000000744CB000-memory.dmpFilesize
5.7MB
-
memory/2004-60-0x0000000073F20000-0x00000000744CB000-memory.dmpFilesize
5.7MB