Analysis
-
max time kernel
166s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
Resource
win7-20231020-en
General
-
Target
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
-
Size
396KB
-
MD5
8503ea92f4c9941ee3295978729d98ba
-
SHA1
d04dfbc5b1335c8408ffb5c58bd966791f748ad3
-
SHA256
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
-
SHA512
a5dade77d81f3fc49b46d828ea653d55b921e8b65b455dd0a1fa7eba7880b3a86deff0aafd21276a86eb95be948ab61da9771343ccbc24164b31c3a5b18edaa5
-
SSDEEP
6144:omPt4BMS4GhUjjF0CBTTFCIRroPHQJ/s5xi8uwytwnhJCAfYrewWvoKMyDftxQib:ZPt4BMsOvpAHQJ0G8CAfWWvo1im
Malware Config
Extracted
trickbot
1000512
xml1
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4976 wermgr.exe Token: SeDebugPrivilege 4976 wermgr.exe Token: SeDebugPrivilege 4976 wermgr.exe Token: SeManageVolumePrivilege 1392 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4976 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe 110 PID 3080 wrote to memory of 4976 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe 110 PID 3080 wrote to memory of 4976 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe 110 PID 3080 wrote to memory of 4976 3080 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe"C:\Users\Admin\AppData\Local\Temp\1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5f16549e793c4fb0dbf67057fb5fe436f
SHA1582d4eaf7d881705971b2f64172396b5245419e8
SHA2564cbe52797856dbd605fcb728294baf15383212918264b5d4f220a0f5b85a5362
SHA5127d66ac89a5ad760308535c1381aecd781eb964fc545beefcfff8e7e1a3e6e354d2141be3c57db1b47dcef9b98f1964354214544ed75ce6409e2b37416439ed11