Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 20:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe
-
Size
540KB
-
MD5
7023ccb7d7b75ce5d34c25958bb73997
-
SHA1
4c94114a2f3d39bc1703c3f40c257453a7ceb49f
-
SHA256
7a3e0290325c3571dc53efbeb9126e9db2627b8eec64c00bd646feae0821898d
-
SHA512
a1d3eff2830a16bdf124a5c379f30a0c0c2f14037a81fec44d726d305e1404326c7934caa86c36aaca322d5dfc7512d0a6f3de6fc6fbd2f4aa0f30bc0368f772
Malware Config
Extracted
trickbot
1000512
ono51
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exedescription pid process target process PID 3832 wrote to memory of 3864 3832 SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe wermgr.exe PID 3832 wrote to memory of 3864 3832 SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe wermgr.exe PID 3832 wrote to memory of 3864 3832 SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe wermgr.exe PID 3832 wrote to memory of 3864 3832 SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3864 wermgr.exe Token: SeDebugPrivilege 3864 wermgr.exe Token: SeDebugPrivilege 3864 wermgr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.7023ccb7d7b75ce5.21693.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken