Analysis
-
max time kernel
117s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 18:02
Static task
static1
Behavioral task
behavioral1
Sample
trickbot.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
trickbot.exe
-
Size
660KB
-
MD5
3ba7d3dbc17ce640e0bb3dd5f989169b
-
SHA1
84ee0b6e02339f1deb33d75693551db444923ba8
-
SHA256
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
-
SHA512
3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wermgr.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1784 wermgr.exe Token: 33 956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 956 AUDIODG.EXE Token: 33 956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 956 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
trickbot.exepid process 2028 trickbot.exe 2028 trickbot.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
trickbot.exedescription pid process target process PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe PID 2028 wrote to memory of 1784 2028 trickbot.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trickbot.exe"C:\Users\Admin\AppData\Local\Temp\trickbot.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e81⤵
- Suspicious use of AdjustPrivilegeToken