Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 22:24
Static task
static1
Behavioral task
behavioral1
Sample
zmoperes.ri.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
zmoperes.ri.exe
Resource
win7-20220812-en
Behavioral task
behavioral3
Sample
zmoperes.ri.exe
Resource
win10v2004-20220901-en
General
-
Target
zmoperes.ri.exe
-
Size
313KB
-
MD5
104b457b6d90fc80ff2dbbcebbb7ca8b
-
SHA1
7842611837af04d7c986de21ab2454ed397014de
-
SHA256
1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
-
SHA512
504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
-
SSDEEP
6144:cqzfvclHbmBwuKj6BkT4GvEH5sLLJ6vd4p:cqzHWHbmQGBkT46689I
Malware Config
Extracted
trickbot
1000229
sat17
138.34.32.218:443
178.78.202.189:443
85.9.212.117:443
93.109.242.134:443
118.91.178.101:443
158.58.131.54:443
70.114.186.116:443
118.200.151.113:443
89.117.107.13:443
109.86.227.152:443
200.2.126.98:443
162.247.37.252:443
83.167.164.81:443
194.68.23.182:443
182.253.210.130:449
77.89.86.93:443
70.79.178.120:449
68.109.83.22:443
185.129.193.221:443
184.68.167.42:443
200.46.121.130:443
54.38.142.118:443
37.46.129.41:443
92.53.77.105:443
91.235.129.226:443
109.234.35.87:443
95.213.200.239:443
185.143.172.110:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral3/memory/1608-132-0x0000000010000000-0x0000000010040000-memory.dmp trickbot_loader32 behavioral3/memory/4004-139-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral3/memory/424-158-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
zmopeset.ri.exezmopeset.ri.exepid process 2764 zmopeset.ri.exe 424 zmopeset.ri.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msnet\\zmopeset.ri.exe" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zmoperes.ri.exezmopeset.ri.exedescription pid process target process PID 1608 set thread context of 4004 1608 zmoperes.ri.exe zmoperes.ri.exe PID 2764 set thread context of 424 2764 zmopeset.ri.exe zmopeset.ri.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zmoperes.ri.exezmopeset.ri.exepid process 1608 zmoperes.ri.exe 2764 zmopeset.ri.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
zmoperes.ri.exezmoperes.ri.exezmopeset.ri.exezmopeset.ri.exedescription pid process target process PID 1608 wrote to memory of 4004 1608 zmoperes.ri.exe zmoperes.ri.exe PID 1608 wrote to memory of 4004 1608 zmoperes.ri.exe zmoperes.ri.exe PID 1608 wrote to memory of 4004 1608 zmoperes.ri.exe zmoperes.ri.exe PID 1608 wrote to memory of 4004 1608 zmoperes.ri.exe zmoperes.ri.exe PID 4004 wrote to memory of 2764 4004 zmoperes.ri.exe zmopeset.ri.exe PID 4004 wrote to memory of 2764 4004 zmoperes.ri.exe zmopeset.ri.exe PID 4004 wrote to memory of 2764 4004 zmoperes.ri.exe zmopeset.ri.exe PID 2764 wrote to memory of 424 2764 zmopeset.ri.exe zmopeset.ri.exe PID 2764 wrote to memory of 424 2764 zmopeset.ri.exe zmopeset.ri.exe PID 2764 wrote to memory of 424 2764 zmopeset.ri.exe zmopeset.ri.exe PID 2764 wrote to memory of 424 2764 zmopeset.ri.exe zmopeset.ri.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe PID 424 wrote to memory of 1888 424 zmopeset.ri.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exeC:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exeC:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\0f5007522459c86e95ffcc62f32308f1_4cfb5922-b036-4c14-9ed1-03c0dad19fbdFilesize
1KB
MD5c615dee22a0d6a4f5ea90f0a1c2e9398
SHA117b7f0374af32a17817f58ab908c54e3117f00b0
SHA256af0cd03e6b269c6d49be2d91dd35b9cfcf30b96073eb1ee5bffcedf40361acaa
SHA5121700d5b378019d5dbb5d2fdc938f852fa0be0183d03cb280eac6ecf9e2cc69c7eca169032cca1655a4d09a469d6570caa1953f6e33192cbb237344255257fd3d
-
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exeFilesize
313KB
MD5104b457b6d90fc80ff2dbbcebbb7ca8b
SHA17842611837af04d7c986de21ab2454ed397014de
SHA2561c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
SHA512504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
-
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exeFilesize
313KB
MD5104b457b6d90fc80ff2dbbcebbb7ca8b
SHA17842611837af04d7c986de21ab2454ed397014de
SHA2561c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
SHA512504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
-
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exeFilesize
313KB
MD5104b457b6d90fc80ff2dbbcebbb7ca8b
SHA17842611837af04d7c986de21ab2454ed397014de
SHA2561c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
SHA512504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
-
memory/424-144-0x0000000000000000-mapping.dmp
-
memory/424-147-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/424-158-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1608-132-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/1888-150-0x0000000000000000-mapping.dmp
-
memory/1888-152-0x0000000140000000-0x0000000140036000-memory.dmpFilesize
216KB
-
memory/2764-136-0x0000000000000000-mapping.dmp
-
memory/4004-139-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4004-135-0x0000000000000000-mapping.dmp