Analysis
-
max time kernel
126s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-11-2020 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Froggies.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Froggies.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Froggies.exe
-
Size
404KB
-
MD5
c99e8ea05346c198782e4c66f01d7c10
-
SHA1
2ec006693189d6d9f9e1d1d0a244ea7086c83641
-
SHA256
bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
-
SHA512
7c4137c51c5ae5bf45c43d5c0685075d96e674115534735df1407e2326d9f07ff5992f28d5c09b10497b90ff9fc6fe5ec624495ee077455067f23934c6f998d3
Malware Config
Extracted
Family
trickbot
Version
100002
Botnet
fra1
C2
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 912 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Froggies.exepid process 1808 Froggies.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Froggies.exedescription pid process target process PID 1808 wrote to memory of 1092 1808 Froggies.exe splwow64.exe PID 1808 wrote to memory of 1092 1808 Froggies.exe splwow64.exe PID 1808 wrote to memory of 1092 1808 Froggies.exe splwow64.exe PID 1808 wrote to memory of 1092 1808 Froggies.exe splwow64.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe PID 1808 wrote to memory of 912 1808 Froggies.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Froggies.exe"C:\Users\Admin\AppData\Local\Temp\Froggies.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1092
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-4-0x0000000000000000-mapping.dmp
-
memory/1092-2-0x0000000000000000-mapping.dmp
-
memory/1808-3-0x0000000002360000-0x000000000239A000-memory.dmpFilesize
232KB
-
memory/1808-5-0x00000000024C0000-0x00000000024C4000-memory.dmpFilesize
16KB
-
memory/1808-6-0x00000000025E0000-0x00000000025E4000-memory.dmpFilesize
16KB