Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 08:32
Static task
static1
Behavioral task
behavioral1
Sample
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Resource
win7-20220414-en
General
-
Target
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
-
Size
424KB
-
MD5
a0c729c01ea861b5a20294303a612b9f
-
SHA1
ae122915a28c02908e1088670914962b827c42e0
-
SHA256
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb
-
SHA512
976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a
Malware Config
Extracted
trickbot
100009
lib5
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Executes dropped EXE 1 IoCs
Processes:
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exepid process 4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4520 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exedescription pid process target process PID 2676 wrote to memory of 4820 2676 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe PID 2676 wrote to memory of 4820 2676 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe PID 2676 wrote to memory of 4820 2676 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe PID 4820 wrote to memory of 4520 4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe wermgr.exe PID 4820 wrote to memory of 4520 4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe wermgr.exe PID 4820 wrote to memory of 4520 4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe wermgr.exe PID 4820 wrote to memory of 4520 4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe"C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exeC:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exeFilesize
424KB
MD5a0c729c01ea861b5a20294303a612b9f
SHA1ae122915a28c02908e1088670914962b827c42e0
SHA2565b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb
SHA512976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a
-
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exeFilesize
424KB
MD5a0c729c01ea861b5a20294303a612b9f
SHA1ae122915a28c02908e1088670914962b827c42e0
SHA2565b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb
SHA512976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a
-
memory/2676-130-0x0000000000630000-0x0000000000635000-memory.dmpFilesize
20KB
-
memory/2676-131-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2676-136-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4520-137-0x0000000000000000-mapping.dmp
-
memory/4520-138-0x00000286388B0000-0x00000286388D7000-memory.dmpFilesize
156KB
-
memory/4820-132-0x0000000000000000-mapping.dmp
-
memory/4820-135-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4820-139-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB