Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 10:53
Static task
static1
Behavioral task
behavioral1
Sample
f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe
-
Size
660KB
-
MD5
c361c1bd2335782d5cb24ac81e2d5e6c
-
SHA1
77c338ad2c72a01380a68150449dd6cca2ca7870
-
SHA256
f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb
-
SHA512
13832bbdddc5c7f92f682d2ae1816eb4ca88b2d54811d708a7c56304eaaa9eceef9390962a9bdc5feaea4f757213ec8e862740639af5f5a2ff4346b47e6c0a54
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3792 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 576 wrote to memory of 3792 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe 79 PID 576 wrote to memory of 3792 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe 79 PID 576 wrote to memory of 3792 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe 79 PID 576 wrote to memory of 3792 576 f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe"C:\Users\Admin\AppData\Local\Temp\f3f2e0e5f0dd4c1b04f2434b95aba1fafd91df0e0e75cf6a851d5238f1ad0ffb.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792
-