Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240903-en
General
-
Target
sample.exe
-
Size
276KB
-
MD5
fe772386d4d851272a985dae3b0a254a
-
SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
-
SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
-
SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
SSDEEP
6144:EhvANzqFWxfrQe43vaHRsDwnrPjq18lq257OFyHKziUt:0ANzo8rQv/axscnrbq1hmyFWU
Malware Config
Extracted
trickbot
2000016
lib11
202.136.89.226:449
202.169.244.252:449
203.176.135.38:449
212.3.104.50:449
41.203.215.122:449
41.41.179.239:449
43.239.152.240:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449
45.230.8.34:449
45.233.25.6:449
78.138.128.20:449
49.156.41.74:449
-
autorunName:pwgrab
Signatures
-
Trickbot family
-
Executes dropped EXE 1 IoCs
pid Process 832 sample.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1920 832 WerFault.exe 83 5036 832 WerFault.exe 83 2156 2720 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3740 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 sample.exe 832 sample.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2720 wrote to memory of 832 2720 sample.exe 83 PID 2720 wrote to memory of 832 2720 sample.exe 83 PID 2720 wrote to memory of 832 2720 sample.exe 83 PID 832 wrote to memory of 3740 832 sample.exe 84 PID 832 wrote to memory of 3740 832 sample.exe 84 PID 832 wrote to memory of 3740 832 sample.exe 84 PID 832 wrote to memory of 3740 832 sample.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeC:\Users\Admin\AppData\Roaming\Colorwin\sample.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 6243⤵
- Program crash
PID:1920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2323⤵
- Program crash
PID:5036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 4282⤵
- Program crash
PID:2156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 832 -ip 8321⤵PID:2392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 832 -ip 8321⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2720 -ip 27201⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec