Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 16:05
Static task
static1
Behavioral task
behavioral1
Sample
CHIL64KIOL.exe
Resource
win7
General
-
Target
CHIL64KIOL.exe
-
Size
535KB
-
MD5
5bf8e55247c38900f94178eca68df336
-
SHA1
2ebb72e08ff2c146c85d37bc7c966be263174ef1
-
SHA256
01aa55a89b1daf73919d9e2e8d4570be3a1f5df44d9b085d097b75a153e93a56
-
SHA512
618a5d8f0059e97f053c8d43c406ff1ff9d582abdf9a0bfe81669f46c576c0c3f3506ebe20dd2423e2a3fc46cd9dc5c2d046f5e57c4944490f32490ebc93a0f6
Malware Config
Extracted
trickbot
1000512
chil64
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
CHIL64KIOL.exedescription pid process target process PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe PID 1496 wrote to memory of 800 1496 CHIL64KIOL.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 800 wermgr.exe Token: SeDebugPrivilege 800 wermgr.exe Token: SeDebugPrivilege 800 wermgr.exe