Analysis
-
max time kernel
1780s -
max time network
1787s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 22:53
Static task
static1
General
-
Target
0x0003000000000697-3.dat.exe
-
Size
296KB
-
MD5
5d75b8689e2cfbfe8065752fd4c4f661
-
SHA1
9238d8073102fd84c752f6e65edc717944346f20
-
SHA256
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22
-
SHA512
7d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2044 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x0003000000000697-3.dat.exedescription pid process target process PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe PID 240 wrote to memory of 2044 240 0x0003000000000697-3.dat.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0003000000000697-3.dat.exe"C:\Users\Admin\AppData\Local\Temp\0x0003000000000697-3.dat.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken