Analysis
-
max time kernel
113s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:02
Static task
static1
Behavioral task
behavioral1
Sample
lkjh988jlk.exe
Resource
win7v20201028
General
-
Target
lkjh988jlk.exe
-
Size
731KB
-
MD5
d55fe9b7f4d6a8ebdfdb7614c06bf17c
-
SHA1
d4086fb7962f773500f7cd450fbb96f39bd9a0e6
-
SHA256
eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078
-
SHA512
51a9abf7e4e3e7479dbd409414ebce122c09dc04908dbd89f185f5db6429de11f082b28a6d05d16ed1daa822fa0d08942e4a80f7aac7fdcb93ade01fcb8a916e
Malware Config
Extracted
trickbot
1000511
man7
5.182.211.215:443
144.91.76.208:443
185.99.2.57:443
134.119.191.38:443
195.123.238.17:443
95.171.16.42:443
85.204.116.238:443
185.234.72.242:443
178.157.82.227:443
185.90.61.9:443
45.148.120.205:443
85.204.116.241:443
5.1.81.68:443
51.81.112.191:443
23.239.84.138:443
194.5.250.180:443
194.87.93.114:443
190.214.13.2:449
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
202.29.215.114:449
171.100.142.238:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
103.227.147.82:449
96.9.77.56:449
103.5.231.188:449
110.93.15.98:449
200.171.101.169:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1448 wermgr.exe Token: SeDebugPrivilege 1448 wermgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
lkjh988jlk.exedescription pid process target process PID 884 wrote to memory of 1448 884 lkjh988jlk.exe wermgr.exe PID 884 wrote to memory of 1448 884 lkjh988jlk.exe wermgr.exe PID 884 wrote to memory of 1448 884 lkjh988jlk.exe wermgr.exe PID 884 wrote to memory of 1448 884 lkjh988jlk.exe wermgr.exe