Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-06-2020 20:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe
-
Size
540KB
-
MD5
1472a93ebff36a7c10abb3a87cc740fe
-
SHA1
527b7dc68a4dfdb23ad572b3c89a52e73a800bf2
-
SHA256
cea58204a4b92e1f22073d7046d43d32284736d7c13c0a81742fa035af396d32
-
SHA512
b2c968638a4323e954e84b89b231c2e3455663a2bb4b124a0ee434566dadaaa3caa749df41c0ae19fb0a3ef48cf2d04e1fab3040050f5b4c23664327eb034465
Malware Config
Extracted
trickbot
1000512
ono51
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
wermgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 3696 wermgr.exe Token: SeDebugPrivilege 3696 wermgr.exe Token: SeDebugPrivilege 3696 wermgr.exe Token: SeDebugPrivilege 3948 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip.anysrc.net -
Suspicious use of WriteProcessMemory 593 IoCs
Processes:
SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exewermgr.exedescription pid process target process PID 2016 wrote to memory of 3696 2016 SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe wermgr.exe PID 2016 wrote to memory of 3696 2016 SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe wermgr.exe PID 2016 wrote to memory of 3696 2016 SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe wermgr.exe PID 2016 wrote to memory of 3696 2016 SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe wermgr.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe PID 3696 wrote to memory of 3948 3696 wermgr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.1472a93ebff36a7c.28707.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken