Analysis
-
max time kernel
117s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 20:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe
Resource
win7v200430
General
-
Target
SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe
-
Size
540KB
-
MD5
b4e4c1c7ad5e7807415252e200012b05
-
SHA1
e5654dafbd641f451ab4a325e22b3fa8f7116ed9
-
SHA256
50afb75b2ba17418fe942e8f83a732a1baac7b9d979324b881c2a13043ea2d4e
-
SHA512
c47ca21aa302fc54a825fd056ae5694063d19788252728b3a593115bee216b54082c1f17829a884c63b5e4484b4c821a340195fe559d279a9169c94220084528
Malware Config
Extracted
trickbot
1000512
ono51
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exedescription pid process target process PID 3848 wrote to memory of 420 3848 SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe wermgr.exe PID 3848 wrote to memory of 420 3848 SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe wermgr.exe PID 3848 wrote to memory of 420 3848 SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe wermgr.exe PID 3848 wrote to memory of 420 3848 SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 420 wermgr.exe Token: SeDebugPrivilege 420 wermgr.exe Token: SeDebugPrivilege 420 wermgr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken