Analysis
-
max time kernel
131s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe
Resource
win7-20220718-en
General
-
Target
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe
-
Size
720KB
-
MD5
67203088526a6681ced778e2cf2fd2ed
-
SHA1
6731062c32e4fa15c3c3bcb2b4b9661efff05054
-
SHA256
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11
-
SHA512
365565ca379ec0add4f5de704ae0a78d727cf05c191e6847806f99b5e4d67abe2d33a5a7298625baf56451f5e783ade04173d7eb54727643e9f3e66ad8e91764
Malware Config
Signatures
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4836-133-0x0000000002190000-0x00000000021BD000-memory.dmp trickbot_loader32 behavioral2/memory/4836-135-0x0000000002160000-0x000000000218C000-memory.dmp trickbot_loader32 behavioral2/memory/4836-136-0x0000000002191000-0x00000000021BC000-memory.dmp trickbot_loader32 behavioral2/memory/4836-138-0x0000000002191000-0x00000000021BC000-memory.dmp trickbot_loader32 behavioral2/memory/2872-145-0x0000000001091000-0x00000000010BC000-memory.dmp trickbot_loader32 behavioral2/memory/2872-147-0x0000000001091000-0x00000000010BC000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
جللدشتادنالرهعلةلحيللشائاأظر.exeجللدشتادنالرهعلةلحيللشائاأظر.exepid process 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1500 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exeجللدشتادنالرهعلةلحيللشائاأظر.exeجللدشتادنالرهعلةلحيللشائاأظر.exepid process 4316 6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exeجللدشتادنالرهعلةلحيللشائاأظر.exeجللدشتادنالرهعلةلحيللشائاأظر.exedescription pid process target process PID 4316 wrote to memory of 4836 4316 6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe جللدشتادنالرهعلةلحيللشائاأظر.exe PID 4316 wrote to memory of 4836 4316 6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe جللدشتادنالرهعلةلحيللشائاأظر.exe PID 4316 wrote to memory of 4836 4316 6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe جللدشتادنالرهعلةلحيللشائاأظر.exe PID 4836 wrote to memory of 4336 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 4836 wrote to memory of 4336 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 4836 wrote to memory of 4336 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 4836 wrote to memory of 4336 4836 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 2872 wrote to memory of 1500 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 2872 wrote to memory of 1500 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 2872 wrote to memory of 1500 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe PID 2872 wrote to memory of 1500 2872 جللدشتادنالرهعلةلحيللشائاأظر.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe"C:\Users\Admin\AppData\Local\Temp\6d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\جللدشتادنالرهعلةلحيللشائاأظر.exe"C:\ProgramData\جللدشتادنالرهعلةلحيللشائاأظر.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Users\Admin\AppData\Roaming\netcloud\جللدشتادنالرهعلةلحيللشائاأظر.exeC:\Users\Admin\AppData\Roaming\netcloud\جللدشتادنالرهعلةلحيللشائاأظر.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\جللدشتادنالرهعلةلحيللشائاأظر.exeFilesize
720KB
MD567203088526a6681ced778e2cf2fd2ed
SHA16731062c32e4fa15c3c3bcb2b4b9661efff05054
SHA2566d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11
SHA512365565ca379ec0add4f5de704ae0a78d727cf05c191e6847806f99b5e4d67abe2d33a5a7298625baf56451f5e783ade04173d7eb54727643e9f3e66ad8e91764
-
C:\ProgramData\جللدشتادنالرهعلةلحيللشائاأظر.exeFilesize
720KB
MD567203088526a6681ced778e2cf2fd2ed
SHA16731062c32e4fa15c3c3bcb2b4b9661efff05054
SHA2566d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11
SHA512365565ca379ec0add4f5de704ae0a78d727cf05c191e6847806f99b5e4d67abe2d33a5a7298625baf56451f5e783ade04173d7eb54727643e9f3e66ad8e91764
-
C:\Users\Admin\AppData\Roaming\netcloud\جللدشتادنالرهعلةلحيللشائاأظر.exeFilesize
720KB
MD567203088526a6681ced778e2cf2fd2ed
SHA16731062c32e4fa15c3c3bcb2b4b9661efff05054
SHA2566d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11
SHA512365565ca379ec0add4f5de704ae0a78d727cf05c191e6847806f99b5e4d67abe2d33a5a7298625baf56451f5e783ade04173d7eb54727643e9f3e66ad8e91764
-
C:\Users\Admin\AppData\Roaming\netcloud\جللدشتادنالرهعلةلحيللشائاأظر.exeFilesize
720KB
MD567203088526a6681ced778e2cf2fd2ed
SHA16731062c32e4fa15c3c3bcb2b4b9661efff05054
SHA2566d263f4f692de3e26ef3aa2e9152e9294696e6a15c4c39e7c14d53c861e79b11
SHA512365565ca379ec0add4f5de704ae0a78d727cf05c191e6847806f99b5e4d67abe2d33a5a7298625baf56451f5e783ade04173d7eb54727643e9f3e66ad8e91764
-
memory/1500-148-0x000001402B8C0000-0x000001402B8DE000-memory.dmpFilesize
120KB
-
memory/1500-146-0x0000000000000000-mapping.dmp
-
memory/2872-147-0x0000000001091000-0x00000000010BC000-memory.dmpFilesize
172KB
-
memory/2872-145-0x0000000001091000-0x00000000010BC000-memory.dmpFilesize
172KB
-
memory/4336-139-0x00000196633B0000-0x00000196633CE000-memory.dmpFilesize
120KB
-
memory/4336-140-0x00000196633B0000-0x00000196633CE000-memory.dmpFilesize
120KB
-
memory/4336-137-0x0000000000000000-mapping.dmp
-
memory/4836-130-0x0000000000000000-mapping.dmp
-
memory/4836-138-0x0000000002191000-0x00000000021BC000-memory.dmpFilesize
172KB
-
memory/4836-136-0x0000000002191000-0x00000000021BC000-memory.dmpFilesize
172KB
-
memory/4836-135-0x0000000002160000-0x000000000218C000-memory.dmpFilesize
176KB
-
memory/4836-133-0x0000000002190000-0x00000000021BD000-memory.dmpFilesize
180KB