Analysis
-
max time kernel
600s -
max time network
598s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 18:53
Static task
static1
Behavioral task
behavioral1
Sample
asdpogasdjabn.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
asdpogasdjabn.exe
-
Size
660KB
-
MD5
3ba7d3dbc17ce640e0bb3dd5f989169b
-
SHA1
84ee0b6e02339f1deb33d75693551db444923ba8
-
SHA256
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
-
SHA512
3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1244 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 288 asdpogasdjabn.exe 288 asdpogasdjabn.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30 PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30 PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30 PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30 PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30 PID 288 wrote to memory of 1244 288 asdpogasdjabn.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.exe"C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
-