Analysis
-
max time kernel
84s -
max time network
114s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-08-2020 19:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe
-
Size
468KB
-
MD5
0da496cac8b30a3b62f7daa53c402149
-
SHA1
7b938023259c9e3942728b67168808c29067dd9e
-
SHA256
3c125dd701c76b591ed6aaf42f8aa0108ef9f71a5bd7c7a83dbd74f23c06b9c3
-
SHA512
ae871fcbecbc338f9a6b158a862cb863590af48b27046fca5f16af4d369344972e6cbe0c2a41379c90258be11081d6179dfb517e6ca9e9ec188e0fb0f8a38b87
Malware Config
Extracted
trickbot
1000512
ono57
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.16910.21941.exepid process 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.16910.21941.exedescription pid process target process PID 788 wrote to memory of 1012 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe wermgr.exe PID 788 wrote to memory of 1012 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe wermgr.exe PID 788 wrote to memory of 1012 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe wermgr.exe PID 788 wrote to memory of 1012 788 SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1012 wermgr.exe Token: SeDebugPrivilege 1012 wermgr.exe Token: SeDebugPrivilege 1012 wermgr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ident.me 5 ident.me
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.16910.21941.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken