Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:25
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
1.exe
-
Size
400KB
-
MD5
c5c8b64f2f89c074396266be3424e758
-
SHA1
3a5ade966e33a398b135c840064eb2a4e5fea761
-
SHA256
648d3b8639ff54b8741ec84898b213836594539de6f0c11a6c9f34dccf5e79fe
-
SHA512
aeff3fe19e50275ec851c762c0f124f70068d63230bc34cd66b67e34c102e079f1ce369dccb8ab506eb29f8f0eebcc83f61abf202e21cfffde40c7cbe6b38ff7
Malware Config
Extracted
Family
trickbot
Version
100002
Botnet
yas2
C2
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 216 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1.exepid process 828 1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1.exedescription pid process target process PID 828 wrote to memory of 216 828 1.exe wermgr.exe PID 828 wrote to memory of 216 828 1.exe wermgr.exe PID 828 wrote to memory of 216 828 1.exe wermgr.exe PID 828 wrote to memory of 216 828 1.exe wermgr.exe