Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
Resource
win7-20220715-en
General
-
Target
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
-
Size
500KB
-
MD5
befa5f863f0135a4c707840bca4a00d8
-
SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5
-
SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
-
SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
Malware Config
Signatures
-
Trickbot x86 loader 5 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4644-133-0x0000000002190000-0x00000000021BE000-memory.dmp trickbot_loader32 behavioral2/memory/4644-142-0x0000000002160000-0x000000000218D000-memory.dmp trickbot_loader32 behavioral2/memory/1720-144-0x00000000029F1000-0x0000000002A1D000-memory.dmp trickbot_loader32 behavioral2/memory/4644-143-0x0000000002191000-0x00000000021BD000-memory.dmp trickbot_loader32 behavioral2/memory/748-150-0x00000000015D1000-0x00000000015FD000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
àâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exepid process 4644 àâûñ÷âöóûâïï.exe 1720 àâûñ÷âöóûâïï.exe 748 àâûñ÷âöóûâïï.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
àâûñ÷âöóûâïï.exedescription pid process Token: SeTcbPrivilege 748 àâûñ÷âöóûâïï.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exepid process 4908 e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe 4908 e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe 4644 àâûñ÷âöóûâïï.exe 4644 àâûñ÷âöóûâïï.exe 1720 àâûñ÷âöóûâïï.exe 1720 àâûñ÷âöóûâïï.exe 748 àâûñ÷âöóûâïï.exe 748 àâûñ÷âöóûâïï.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exedescription pid process target process PID 4908 wrote to memory of 4644 4908 e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe àâûñ÷âöóûâïï.exe PID 4908 wrote to memory of 4644 4908 e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe àâûñ÷âöóûâïï.exe PID 4908 wrote to memory of 4644 4908 e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe àâûñ÷âöóûâïï.exe PID 4644 wrote to memory of 1720 4644 àâûñ÷âöóûâïï.exe àâûñ÷âöóûâïï.exe PID 4644 wrote to memory of 1720 4644 àâûñ÷âöóûâïï.exe àâûñ÷âöóûâïï.exe PID 4644 wrote to memory of 1720 4644 àâûñ÷âöóûâïï.exe àâûñ÷âöóûâïï.exe PID 1720 wrote to memory of 4144 1720 àâûñ÷âöóûâïï.exe svchost.exe PID 1720 wrote to memory of 4144 1720 àâûñ÷âöóûâïï.exe svchost.exe PID 1720 wrote to memory of 4144 1720 àâûñ÷âöóûâïï.exe svchost.exe PID 1720 wrote to memory of 4144 1720 àâûñ÷âöóûâïï.exe svchost.exe PID 748 wrote to memory of 3940 748 àâûñ÷âöóûâïï.exe svchost.exe PID 748 wrote to memory of 3940 748 àâûñ÷âöóûâïï.exe svchost.exe PID 748 wrote to memory of 3940 748 àâûñ÷âöóûâïï.exe svchost.exe PID 748 wrote to memory of 3940 748 àâûñ÷âöóûâïï.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe"C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\àâûñ÷âöóûâïï.exe"C:\ProgramData\àâûñ÷âöóûâïï.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exeC:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exeC:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\àâûñ÷âöóûâïï.exeFilesize
500KB
MD5befa5f863f0135a4c707840bca4a00d8
SHA159638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA5127c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
-
C:\ProgramData\àâûñ÷âöóûâïï.exeFilesize
500KB
MD5befa5f863f0135a4c707840bca4a00d8
SHA159638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA5127c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
-
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exeFilesize
500KB
MD5befa5f863f0135a4c707840bca4a00d8
SHA159638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA5127c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
-
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exeFilesize
500KB
MD5befa5f863f0135a4c707840bca4a00d8
SHA159638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA5127c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
-
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exeFilesize
500KB
MD5befa5f863f0135a4c707840bca4a00d8
SHA159638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA5127c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154
-
memory/748-151-0x0000000010000000-0x0000000010005000-memory.dmpFilesize
20KB
-
memory/748-150-0x00000000015D1000-0x00000000015FD000-memory.dmpFilesize
176KB
-
memory/1720-145-0x0000000010000000-0x0000000010005000-memory.dmpFilesize
20KB
-
memory/1720-144-0x00000000029F1000-0x0000000002A1D000-memory.dmpFilesize
176KB
-
memory/1720-135-0x0000000000000000-mapping.dmp
-
memory/3940-149-0x0000000000000000-mapping.dmp
-
memory/3940-152-0x0000024D148E0000-0x0000024D14900000-memory.dmpFilesize
128KB
-
memory/3940-153-0x0000024D148E0000-0x0000024D14900000-memory.dmpFilesize
128KB
-
memory/4144-141-0x0000022A00D30000-0x0000022A00D50000-memory.dmpFilesize
128KB
-
memory/4144-140-0x0000000000000000-mapping.dmp
-
memory/4644-142-0x0000000002160000-0x000000000218D000-memory.dmpFilesize
180KB
-
memory/4644-143-0x0000000002191000-0x00000000021BD000-memory.dmpFilesize
176KB
-
memory/4644-130-0x0000000000000000-mapping.dmp
-
memory/4644-133-0x0000000002190000-0x00000000021BE000-memory.dmpFilesize
184KB