Analysis
-
max time kernel
31s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
Resource
win7-20220414-en
General
-
Target
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
-
Size
567KB
-
MD5
0cd4def993787db96cced94d5fbbd3d7
-
SHA1
c81a923e6924286cd3506ccebe4ae9597f55c7dc
-
SHA256
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb
-
SHA512
045eeb9b3854f7adea628f1180a1c799f2953f1c70c27ad5b0cc829ca6f633f37c40d89eb96270d7ba40588e587d390bf22aa3dde832dd7d4d8fa2df19406afc
Malware Config
Extracted
trickbot
1000496
ddd5
5.182.210.226:443
85.204.116.128:443
185.62.188.34:443
5.2.78.43:443
79.143.31.246:443
93.189.46.122:443
31.184.254.50:443
195.123.217.226:443
185.99.2.117:443
104.168.96.113:443
188.165.62.36:443
5.182.210.246:443
5.2.78.98:443
185.142.99.8:443
185.252.144.135:443
82.146.62.52:443
212.109.220.111:443
91.235.129.25:443
5.182.210.109:443
198.8.91.10:443
190.214.13.2:449
181.140.173.186:449
181.129.104.139:449
181.113.28.146:449
181.112.157.42:449
170.84.78.224:449
200.21.51.38:449
46.174.235.36:449
36.89.85.103:449
181.129.134.18:449
186.71.150.23:449
131.161.253.190:449
200.127.121.99:449
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
202.29.215.114:449
180.180.216.177:449
171.100.142.238:449
186.232.91.240:449
181.196.207.202:449
-
autorunName:pwgrab
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/736-61-0x0000000000320000-0x0000000000350000-memory.dmp trickbot_loader32 behavioral1/memory/736-64-0x0000000000321000-0x0000000000350000-memory.dmp trickbot_loader32 behavioral1/memory/736-63-0x0000000000250000-0x000000000027F000-memory.dmp trickbot_loader32 -
Executes dropped EXE 1 IoCs
Processes:
гнпроаааааа.exepid process 736 гнпроаааааа.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1348 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exepid process 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
гнпроаааааа.exepid process 736 гнпроаааааа.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.execmd.exedescription pid process target process PID 1896 wrote to memory of 736 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 1896 wrote to memory of 736 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 1896 wrote to memory of 736 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 1896 wrote to memory of 736 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 1896 wrote to memory of 1348 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 1896 wrote to memory of 1348 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 1896 wrote to memory of 1348 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 1896 wrote to memory of 1348 1896 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 1348 wrote to memory of 2040 1348 cmd.exe PING.EXE PID 1348 wrote to memory of 2040 1348 cmd.exe PING.EXE PID 1348 wrote to memory of 2040 1348 cmd.exe PING.EXE PID 1348 wrote to memory of 2040 1348 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\гнпроаааааа.exe"C:\ProgramData\гнпроаааааа.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
\ProgramData\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
\ProgramData\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
memory/736-57-0x0000000000000000-mapping.dmp
-
memory/736-61-0x0000000000320000-0x0000000000350000-memory.dmpFilesize
192KB
-
memory/736-64-0x0000000000321000-0x0000000000350000-memory.dmpFilesize
188KB
-
memory/736-63-0x0000000000250000-0x000000000027F000-memory.dmpFilesize
188KB
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1896-54-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2040-60-0x0000000000000000-mapping.dmp