Resubmissions
12-11-2020 11:08
201112-agbw3dbgk6 1011-11-2020 17:02
201111-rqtshk2mks 1011-11-2020 10:20
201111-y7dmq33bmx 10Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 10:20
Static task
static1
Behavioral task
behavioral1
Sample
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe
Resource
win7v20201028
General
-
Target
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe
-
Size
296KB
-
MD5
5d75b8689e2cfbfe8065752fd4c4f661
-
SHA1
9238d8073102fd84c752f6e65edc717944346f20
-
SHA256
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22
-
SHA512
7d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575
Malware Config
Extracted
trickbot
100001
tar2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ident.me 20 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3792 wermgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exedescription pid process target process PID 576 wrote to memory of 3792 576 fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe wermgr.exe PID 576 wrote to memory of 3792 576 fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe wermgr.exe PID 576 wrote to memory of 3792 576 fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe wermgr.exe PID 576 wrote to memory of 3792 576 fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe"C:\Users\Admin\AppData\Local\Temp\fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken