Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
17/07/2020, 16:39
General
-
Target
9980m9n7wy.exe
-
Size
407KB
-
MD5
361e8f325798c47073c2f5f2f9f69aa2
-
SHA1
fa8409bcd758bbd92bc01f7961e2f844c36badc9
-
SHA256
5929445eb9941a91426eb0cc13cf918649608a1e2772d283cdc83665d82d400a
-
SHA512
26bd9330e964d9d8f53cb10dae93965954585a4e63c90574a723620bfa5258d61a7f7366a7d3336e0a10e269f69ef5447c4cfd2f665946fa11c35067fc9e9382
Score
10/10
Malware Config
Extracted
Family
trickbot
Version
1000512
Botnet
ono56
C2
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9980m9n7wy.exe"C:\Users\Admin\AppData\Local\Temp\9980m9n7wy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB