Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 13:54
Static task
static1
Behavioral task
behavioral1
Sample
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe
-
Size
660KB
-
MD5
c17c153f148b11a904690af5e747aa90
-
SHA1
cb7f251f980d3433876038141dfdab4756ab5c76
-
SHA256
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
-
SHA512
a66fa9cae65b4e72033b379194508b516a812e80a1bda5ae3f84f8d7b75cf48878e316cce665b8f549e8f8ec8397265c7172e9787cee34f9cb2a3aaecb8b4401
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2212 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exepid process 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exedescription pid process target process PID 3412 wrote to memory of 2212 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe wermgr.exe PID 3412 wrote to memory of 2212 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe wermgr.exe PID 3412 wrote to memory of 2212 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe wermgr.exe PID 3412 wrote to memory of 2212 3412 2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe"C:\Users\Admin\AppData\Local\Temp\2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken