Analysis
-
max time kernel
591s -
max time network
602s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-11-2020 14:52
Static task
static1
General
-
Target
6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe
-
Size
660KB
-
MD5
ec54f8dc5c52b45031e0dae26410882c
-
SHA1
aa836180c50ddba9d93e3a757ce31caa396b60ad
-
SHA256
6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732
-
SHA512
4917dd1e659afe938f48f90b0e92168e8598c982160a4135e3e13ebe28c3f0f595f4f9f2e5943d98d1d568d55a2ee6cca37345364d55abde71d1a99b398a9232
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1724 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exepid process 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exedescription pid process target process PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe PID 1892 wrote to memory of 1724 1892 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe"C:\Users\Admin\AppData\Local\Temp\6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken