Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240903-en
General
-
Target
sample.exe
-
Size
276KB
-
MD5
fe772386d4d851272a985dae3b0a254a
-
SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
-
SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
-
SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
SSDEEP
6144:EhvANzqFWxfrQe43vaHRsDwnrPjq18lq257OFyHKziUt:0ANzo8rQv/axscnrbq1hmyFWU
Malware Config
Extracted
trickbot
2000016
lib11
202.136.89.226:449
202.169.244.252:449
203.176.135.38:449
212.3.104.50:449
41.203.215.122:449
41.41.179.239:449
43.239.152.240:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449
45.230.8.34:449
45.233.25.6:449
78.138.128.20:449
49.156.41.74:449
-
autorunName:pwgrab
Signatures
-
Trickbot family
-
Executes dropped EXE 1 IoCs
pid Process 2672 sample.exe -
Loads dropped DLL 7 IoCs
pid Process 2092 sample.exe 2092 sample.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2560 2092 WerFault.exe 29 1172 2672 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2092 sample.exe 2672 sample.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2672 2092 sample.exe 30 PID 2092 wrote to memory of 2672 2092 sample.exe 30 PID 2092 wrote to memory of 2672 2092 sample.exe 30 PID 2092 wrote to memory of 2672 2092 sample.exe 30 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2672 wrote to memory of 2764 2672 sample.exe 31 PID 2092 wrote to memory of 2560 2092 sample.exe 32 PID 2092 wrote to memory of 2560 2092 sample.exe 32 PID 2092 wrote to memory of 2560 2092 sample.exe 32 PID 2092 wrote to memory of 2560 2092 sample.exe 32 PID 2672 wrote to memory of 1172 2672 sample.exe 33 PID 2672 wrote to memory of 1172 2672 sample.exe 33 PID 2672 wrote to memory of 1172 2672 sample.exe 33 PID 2672 wrote to memory of 1172 2672 sample.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeC:\Users\Admin\AppData\Roaming\Colorwin\sample.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1603⤵
- Loads dropped DLL
- Program crash
PID:1172
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1602⤵
- Program crash
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec