Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
19-06-2020 05:47
Static task
static1
Behavioral task
behavioral1
Sample
393a0e52dce28a358b5f56488c903dcd.exe
Resource
win7
General
-
Target
393a0e52dce28a358b5f56488c903dcd.exe
-
Size
752KB
-
MD5
393a0e52dce28a358b5f56488c903dcd
-
SHA1
cb6223736568bcc1598e7f2487d7501d509b81da
-
SHA256
995526d72e443e96d046052b463c3ecef053cdbf8abadcfca423da35e1f83db7
-
SHA512
6d0a650bdad173778bcf15a53d153a6ace1ab08af166d83a8dc3db18262318f54f9db4a2ca2b075bedf63dda95368f2b241cd1189cd32e42300fd3d43d35faba
Malware Config
Extracted
trickbot
1000512
chil29
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
393a0e52dce28a358b5f56488c903dcd.exedescription pid process target process PID 3372 wrote to memory of 1152 3372 393a0e52dce28a358b5f56488c903dcd.exe wermgr.exe PID 3372 wrote to memory of 1152 3372 393a0e52dce28a358b5f56488c903dcd.exe wermgr.exe PID 3372 wrote to memory of 1152 3372 393a0e52dce28a358b5f56488c903dcd.exe wermgr.exe PID 3372 wrote to memory of 1152 3372 393a0e52dce28a358b5f56488c903dcd.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1152 wermgr.exe Token: SeDebugPrivilege 1152 wermgr.exe Token: SeDebugPrivilege 1152 wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\393a0e52dce28a358b5f56488c903dcd.exe"C:\Users\Admin\AppData\Local\Temp\393a0e52dce28a358b5f56488c903dcd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken