Analysis
-
max time kernel
137s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
-
Size
468KB
-
MD5
4ea187187c675a57ee52c553496c1359
-
SHA1
8d6a428b658a7400ff140f276b020979a8903f10
-
SHA256
25e00e442aaad7634d767a68e254650bb075e4e8696c9727dbbd271cc04dc261
-
SHA512
0581f860396883c2f170e4b0d9664aea4050466e340a1d7f2ea6ced01e1900affb13a3c1eb5f6d5deab1ccd9a8df4aad4406348caeb662ed61c7f3a7424fe6a4
Malware Config
Extracted
trickbot
1000512
ono57
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.24805.2656.exedescription pid process target process PID 3832 wrote to memory of 1748 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe wermgr.exe PID 3832 wrote to memory of 1748 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe wermgr.exe PID 3832 wrote to memory of 1748 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe wermgr.exe PID 3832 wrote to memory of 1748 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1748 wermgr.exe Token: SeDebugPrivilege 1748 wermgr.exe Token: SeDebugPrivilege 1748 wermgr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.140.24805.2656.exepid process 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe 3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken