Analysis
-
max time kernel
127s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 14:43
Static task
static1
Behavioral task
behavioral1
Sample
asdpogasdjabn.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
asdpogasdjabn.bin.exe
-
Size
660KB
-
MD5
3ba7d3dbc17ce640e0bb3dd5f989169b
-
SHA1
84ee0b6e02339f1deb33d75693551db444923ba8
-
SHA256
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
-
SHA512
3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 504 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
asdpogasdjabn.bin.exepid process 648 asdpogasdjabn.bin.exe 648 asdpogasdjabn.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
asdpogasdjabn.bin.exedescription pid process target process PID 648 wrote to memory of 504 648 asdpogasdjabn.bin.exe wermgr.exe PID 648 wrote to memory of 504 648 asdpogasdjabn.bin.exe wermgr.exe PID 648 wrote to memory of 504 648 asdpogasdjabn.bin.exe wermgr.exe PID 648 wrote to memory of 504 648 asdpogasdjabn.bin.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.bin.exe"C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken