Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
Resource
win7-20220414-en
General
-
Target
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
-
Size
567KB
-
MD5
0cd4def993787db96cced94d5fbbd3d7
-
SHA1
c81a923e6924286cd3506ccebe4ae9597f55c7dc
-
SHA256
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb
-
SHA512
045eeb9b3854f7adea628f1180a1c799f2953f1c70c27ad5b0cc829ca6f633f37c40d89eb96270d7ba40588e587d390bf22aa3dde832dd7d4d8fa2df19406afc
Malware Config
Extracted
trickbot
1000496
ddd5
5.182.210.226:443
85.204.116.128:443
185.62.188.34:443
5.2.78.43:443
79.143.31.246:443
93.189.46.122:443
31.184.254.50:443
195.123.217.226:443
185.99.2.117:443
104.168.96.113:443
188.165.62.36:443
5.182.210.246:443
5.2.78.98:443
185.142.99.8:443
185.252.144.135:443
82.146.62.52:443
212.109.220.111:443
91.235.129.25:443
5.182.210.109:443
198.8.91.10:443
190.214.13.2:449
181.140.173.186:449
181.129.104.139:449
181.113.28.146:449
181.112.157.42:449
170.84.78.224:449
200.21.51.38:449
46.174.235.36:449
36.89.85.103:449
181.129.134.18:449
186.71.150.23:449
131.161.253.190:449
200.127.121.99:449
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
202.29.215.114:449
180.180.216.177:449
171.100.142.238:449
186.232.91.240:449
181.196.207.202:449
-
autorunName:pwgrab
Signatures
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3368-134-0x00000000026D0000-0x0000000002700000-memory.dmp trickbot_loader32 behavioral2/memory/3368-136-0x0000000002360000-0x000000000238F000-memory.dmp trickbot_loader32 behavioral2/memory/3368-137-0x00000000026D1000-0x0000000002700000-memory.dmp trickbot_loader32 behavioral2/memory/3368-139-0x00000000026D1000-0x0000000002700000-memory.dmp trickbot_loader32 behavioral2/memory/4068-148-0x0000000001251000-0x0000000001280000-memory.dmp trickbot_loader32 behavioral2/memory/4068-150-0x0000000001251000-0x0000000001280000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
гнпроаааааа.exeгнпроаааааа.exepid process 3368 гнпроаааааа.exe 4068 гнпроаааааа.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 868 powershell.exe 868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeTcbPrivilege 2036 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
гнпроаааааа.exeгнпроаааааа.exepid process 3368 гнпроаааааа.exe 4068 гнпроаааааа.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.execmd.exeгнпроаааааа.exesvchost.execmd.exeгнпроаааааа.exedescription pid process target process PID 4308 wrote to memory of 3368 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 4308 wrote to memory of 3368 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 4308 wrote to memory of 3368 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe гнпроаааааа.exe PID 4308 wrote to memory of 3140 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 4308 wrote to memory of 3140 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 4308 wrote to memory of 3140 4308 bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe cmd.exe PID 3140 wrote to memory of 3272 3140 cmd.exe PING.EXE PID 3140 wrote to memory of 3272 3140 cmd.exe PING.EXE PID 3140 wrote to memory of 3272 3140 cmd.exe PING.EXE PID 3368 wrote to memory of 3024 3368 гнпроаааааа.exe svchost.exe PID 3368 wrote to memory of 3024 3368 гнпроаааааа.exe svchost.exe PID 3368 wrote to memory of 3024 3368 гнпроаааааа.exe svchost.exe PID 3368 wrote to memory of 3024 3368 гнпроаааааа.exe svchost.exe PID 3024 wrote to memory of 3076 3024 svchost.exe cmd.exe PID 3024 wrote to memory of 3076 3024 svchost.exe cmd.exe PID 3076 wrote to memory of 868 3076 cmd.exe powershell.exe PID 3076 wrote to memory of 868 3076 cmd.exe powershell.exe PID 4068 wrote to memory of 2036 4068 гнпроаааааа.exe svchost.exe PID 4068 wrote to memory of 2036 4068 гнпроаааааа.exe svchost.exe PID 4068 wrote to memory of 2036 4068 гнпроаааааа.exe svchost.exe PID 4068 wrote to memory of 2036 4068 гнпроаааааа.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\гнпроаааааа.exe"C:\ProgramData\гнпроаааааа.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/C PowerShell "$f='C:\ProgramData\гнпроаааааа.exe';DO{Remove-Item -Force $f;$d=Test-Path $f }While($d)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell "$f='C:\ProgramData\гнпроаааааа.exe';DO{Remove-Item -Force $f;$d=Test-Path $f }While($d)"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WinNetCore\гнпроаааааа.exeC:\Users\Admin\AppData\Roaming\WinNetCore\гнпроаааааа.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
C:\ProgramData\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
C:\Users\Admin\AppData\Roaming\WinNetCore\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
C:\Users\Admin\AppData\Roaming\WinNetCore\гнпроаааааа.exeFilesize
272KB
MD52ea7224a97ba74607275231bde318c2f
SHA1da62536c5b9246a99dfb8c6c7223a6dc81e7986a
SHA2566d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66
SHA512b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3
-
memory/868-142-0x0000000000000000-mapping.dmp
-
memory/868-144-0x00007FFE7F2D0000-0x00007FFE7FD91000-memory.dmpFilesize
10.8MB
-
memory/868-143-0x000001A60C000000-0x000001A60C022000-memory.dmpFilesize
136KB
-
memory/2036-152-0x0000028EEB150000-0x0000028EEB172000-memory.dmpFilesize
136KB
-
memory/2036-151-0x0000028EEB150000-0x0000028EEB172000-memory.dmpFilesize
136KB
-
memory/2036-149-0x0000000000000000-mapping.dmp
-
memory/3024-138-0x0000000000000000-mapping.dmp
-
memory/3024-141-0x0000026B29680000-0x0000026B296A2000-memory.dmpFilesize
136KB
-
memory/3076-140-0x0000000000000000-mapping.dmp
-
memory/3140-133-0x0000000000000000-mapping.dmp
-
memory/3272-135-0x0000000000000000-mapping.dmp
-
memory/3368-130-0x0000000000000000-mapping.dmp
-
memory/3368-139-0x00000000026D1000-0x0000000002700000-memory.dmpFilesize
188KB
-
memory/3368-137-0x00000000026D1000-0x0000000002700000-memory.dmpFilesize
188KB
-
memory/3368-136-0x0000000002360000-0x000000000238F000-memory.dmpFilesize
188KB
-
memory/3368-134-0x00000000026D0000-0x0000000002700000-memory.dmpFilesize
192KB
-
memory/4068-148-0x0000000001251000-0x0000000001280000-memory.dmpFilesize
188KB
-
memory/4068-150-0x0000000001251000-0x0000000001280000-memory.dmpFilesize
188KB