Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 23:17
Static task
static1
Behavioral task
behavioral1
Sample
dZOiYPd.bin.exe
Resource
win7
General
-
Target
dZOiYPd.bin.exe
-
Size
500KB
-
MD5
b1253684096a6ab41d9017d3d02b265a
-
SHA1
68e643fa0a4dd16fc32b587535f3ae8958612b10
-
SHA256
a3f763c730e23fab3523b4a501f4590abcc4fd20306cba116c3b726a0d198367
-
SHA512
8b7d97bd4acf405b3c4f8c0a43acb6bb1b4326e601a3fcae0226c483d0cebe132298fe68bfdb41ddef47e0a1cc8ebe62d98fa091f0a551d88822f2fc26371518
Malware Config
Extracted
trickbot
1000512
ono52
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dZOiYPd.bin.exedescription pid process target process PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe PID 1612 wrote to memory of 1056 1612 dZOiYPd.bin.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1056 wermgr.exe Token: SeDebugPrivilege 1056 wermgr.exe Token: SeDebugPrivilege 1056 wermgr.exe