Analysis
-
max time kernel
60s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe
Resource
win7-20220414-en
General
-
Target
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe
-
Size
428KB
-
MD5
cd40c5aac2b062de2b52641c98268aa5
-
SHA1
0a7e67671c522a702d853f2a75f80e4a1d799a52
-
SHA256
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210
-
SHA512
bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa
Malware Config
Extracted
trickbot
1000498
wmd38
5.182.210.226:443
82.146.62.52:443
164.68.120.56:443
185.11.146.86:443
5.2.78.70:443
185.65.202.240:443
193.26.217.243:443
81.177.180.254:443
5.34.177.40:443
185.186.77.222:443
188.227.84.209:443
185.45.193.76:443
46.229.213.27:443
88.99.112.87:443
51.254.164.240:443
45.148.120.13:443
5.2.78.77:443
64.44.51.125:443
107.172.165.149:443
45.148.120.14:443
190.214.13.2:449
181.140.173.186:449
181.129.104.139:449
181.113.28.146:449
181.112.157.42:449
170.84.78.224:449
200.21.51.38:449
46.174.235.36:449
36.89.85.103:449
181.129.134.18:449
186.71.150.23:449
131.161.253.190:449
200.127.121.99:449
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
202.29.215.114:449
180.180.216.177:449
171.100.142.238:449
186.232.91.240:449
181.196.207.202:449
-
autorunName:pwgrab
Signatures
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1828-55-0x00000000021F0000-0x0000000002224000-memory.dmp trickbot_loader32 behavioral1/memory/768-69-0x0000000002F00000-0x0000000002F31000-memory.dmp trickbot_loader32 behavioral1/memory/768-64-0x0000000002EC0000-0x0000000002EF4000-memory.dmp trickbot_loader32 behavioral1/memory/1828-70-0x00000000021B0000-0x00000000021E1000-memory.dmp trickbot_loader32 behavioral1/memory/768-72-0x0000000002F01000-0x0000000002F31000-memory.dmp trickbot_loader32 behavioral1/memory/768-71-0x0000000001DB0000-0x0000000001DE0000-memory.dmp trickbot_loader32 -
Dave packer 3 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/1828-55-0x00000000021F0000-0x0000000002224000-memory.dmp dave behavioral1/memory/768-64-0x0000000002EC0000-0x0000000002EF4000-memory.dmp dave behavioral1/memory/1828-70-0x00000000021B0000-0x00000000021E1000-memory.dmp dave -
Executes dropped EXE 1 IoCs
Processes:
ьтتدتգդᠲ.exepid process 768 ьтتدتգդᠲ.exe -
Loads dropped DLL 2 IoCs
Processes:
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exepid process 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exeьтتدتգդᠲ.exedescription ioc process File opened (read-only) \??\D: 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe File opened (read-only) \??\D: ьтتدتգդᠲ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1632 AUDIODG.EXE Token: 33 1632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1632 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exeьтتدتգդᠲ.exepid process 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe 768 ьтتدتգդᠲ.exe 768 ьтتدتգդᠲ.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exedescription pid process target process PID 1828 wrote to memory of 768 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe ьтتدتգդᠲ.exe PID 1828 wrote to memory of 768 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe ьтتدتգդᠲ.exe PID 1828 wrote to memory of 768 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe ьтتدتգդᠲ.exe PID 1828 wrote to memory of 768 1828 6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe ьтتدتգդᠲ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe"C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ьтتدتգդᠲ.exe"C:\ProgramData\ьтتدتգդᠲ.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1a81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ьтتدتգդᠲ.exeFilesize
428KB
MD5cd40c5aac2b062de2b52641c98268aa5
SHA10a7e67671c522a702d853f2a75f80e4a1d799a52
SHA2566120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210
SHA512bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa
-
C:\ProgramData\ьтتدتգդᠲ.exeFilesize
428KB
MD5cd40c5aac2b062de2b52641c98268aa5
SHA10a7e67671c522a702d853f2a75f80e4a1d799a52
SHA2566120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210
SHA512bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa
-
\ProgramData\ьтتدتգդᠲ.exeFilesize
428KB
MD5cd40c5aac2b062de2b52641c98268aa5
SHA10a7e67671c522a702d853f2a75f80e4a1d799a52
SHA2566120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210
SHA512bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa
-
\ProgramData\ьтتدتգդᠲ.exeFilesize
428KB
MD5cd40c5aac2b062de2b52641c98268aa5
SHA10a7e67671c522a702d853f2a75f80e4a1d799a52
SHA2566120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210
SHA512bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa
-
memory/768-61-0x0000000000000000-mapping.dmp
-
memory/768-69-0x0000000002F00000-0x0000000002F31000-memory.dmpFilesize
196KB
-
memory/768-64-0x0000000002EC0000-0x0000000002EF4000-memory.dmpFilesize
208KB
-
memory/768-72-0x0000000002F01000-0x0000000002F31000-memory.dmpFilesize
192KB
-
memory/768-71-0x0000000001DB0000-0x0000000001DE0000-memory.dmpFilesize
192KB
-
memory/1828-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/1828-55-0x00000000021F0000-0x0000000002224000-memory.dmpFilesize
208KB
-
memory/1828-70-0x00000000021B0000-0x00000000021E1000-memory.dmpFilesize
196KB