Analysis
-
max time kernel
147s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe
Resource
win7-20220718-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe
-
Size
257KB
-
MD5
c631fab0314095b88496fc111c68ade3
-
SHA1
682e78e9a0b3b719262c1e004f9e723e3910a820
-
SHA256
d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759
-
SHA512
ae1ab6da0419cbc624cdf5ec30e56cd2202fdb1904f28e12e3f40fe2f965f053ac45cd38b9f85ffd406bd643d7317c70a82047c7b125cf9f0c1b8dfe5d5cc3a3
Malware Config
Signatures
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/888-54-0x0000000000340000-0x0000000000349000-memory.dmp trickbot_loader32 behavioral1/memory/888-56-0x0000000000340000-0x0000000000349000-memory.dmp trickbot_loader32 -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1348 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1348 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.execmd.exedescription pid process target process PID 888 wrote to memory of 1444 888 d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe cmd.exe PID 888 wrote to memory of 1444 888 d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe cmd.exe PID 888 wrote to memory of 1444 888 d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe cmd.exe PID 888 wrote to memory of 1444 888 d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe cmd.exe PID 1444 wrote to memory of 1348 1444 cmd.exe powershell.exe PID 1444 wrote to memory of 1348 1444 cmd.exe powershell.exe PID 1444 wrote to memory of 1348 1444 cmd.exe powershell.exe PID 1444 wrote to memory of 1348 1444 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"3⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-54-0x0000000000340000-0x0000000000349000-memory.dmpFilesize
36KB
-
memory/888-56-0x0000000000340000-0x0000000000349000-memory.dmpFilesize
36KB
-
memory/1348-57-0x0000000000000000-mapping.dmp
-
memory/1348-58-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1348-59-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1348-60-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1444-55-0x0000000000000000-mapping.dmp