Analysis
-
max time kernel
160s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe
Resource
win7-20220715-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe
-
Size
405KB
-
MD5
5eb9152c121bd89e77778b5bf2dfefe2
-
SHA1
b94b34144bb54dec5b1311d84d76888b8b544318
-
SHA256
95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e
-
SHA512
3967823d9645d7dfb6e0878cf5d2f19883c70cc157c15097de16f3732416b545a9c286edf2d1f43954553e61b746e0b356332c0f89b6c7681676057973ea9f9b
Malware Config
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4868-132-0x0000000000660000-0x0000000000669000-memory.dmp trickbot_loader32 behavioral2/memory/4868-133-0x0000000000660000-0x0000000000669000-memory.dmp trickbot_loader32 behavioral2/memory/4868-136-0x0000000000660000-0x0000000000669000-memory.dmp trickbot_loader32 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exepid process 4868 95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.execmd.exedescription pid process target process PID 4868 wrote to memory of 5096 4868 95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe cmd.exe PID 4868 wrote to memory of 5096 4868 95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe cmd.exe PID 4868 wrote to memory of 5096 4868 95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe cmd.exe PID 5096 wrote to memory of 2440 5096 cmd.exe powershell.exe PID 5096 wrote to memory of 2440 5096 cmd.exe powershell.exe PID 5096 wrote to memory of 2440 5096 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe"C:\Users\Admin\AppData\Local\Temp\95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\95dfe53ddb3cfbce26e4bf486d30d43fff156fb4a883beec5e25c39efef4d37e.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2440-135-0x0000000000000000-mapping.dmp
-
memory/4868-132-0x0000000000660000-0x0000000000669000-memory.dmpFilesize
36KB
-
memory/4868-133-0x0000000000660000-0x0000000000669000-memory.dmpFilesize
36KB
-
memory/4868-136-0x0000000000660000-0x0000000000669000-memory.dmpFilesize
36KB
-
memory/5096-134-0x0000000000000000-mapping.dmp