Analysis
-
max time kernel
109s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
01-08-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe
-
Size
468KB
-
MD5
9d2a13f064bb10445686a843a8e53eca
-
SHA1
bff8cecaa86cc00b635c3af9c1f3087517fab279
-
SHA256
060fb50d465602d9430f4f2132c14c0b758ddda70dea9ab92bd0985e4a37d895
-
SHA512
6e4ef04b1ec0ee169aad31d668b10cc7c9bd58e2895b4d704e88dbf147a22f113f88358f10b10b8e6560b56be84e1c5abd3631bc9cadcc5edb50b1facdf6e49d
Malware Config
Extracted
trickbot
1000512
ono57
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.8791.8460.exepid process 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.8791.8460.exedescription pid process target process PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe PID 1448 wrote to memory of 1868 1448 SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1868 wermgr.exe Token: SeDebugPrivilege 1868 wermgr.exe Token: SeDebugPrivilege 1868 wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.8791.8460.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken