Analysis
-
max time kernel
99s -
max time network
103s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe
-
Size
468KB
-
MD5
b33fec37077e7ef6dd6d170f4329e493
-
SHA1
18bf089c86f2d729aeb91be06b2fe466043d17e8
-
SHA256
b7f1686784c1825556e2bc76339b7d791b463001cf88ceb73ce2ac0170fe119a
-
SHA512
19ec69e2b07e5e8e49f985a19defb2db9afcde3a42504b7f35e9851b60b825b7677efb448e1db3f87bb70f3dfcce4587f31fb0d09929daa4de10182ba29efd0d
Malware Config
Extracted
trickbot
1000512
ono57
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.28501.22930.exedescription pid process target process PID 3672 wrote to memory of 1008 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe wermgr.exe PID 3672 wrote to memory of 1008 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe wermgr.exe PID 3672 wrote to memory of 1008 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe wermgr.exe PID 3672 wrote to memory of 1008 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1008 wermgr.exe Token: SeDebugPrivilege 1008 wermgr.exe Token: SeDebugPrivilege 1008 wermgr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.28501.22930.exepid process 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe 3672 SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.28501.22930.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken