Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 15:20
Static task
static1
Behavioral task
behavioral1
Sample
c361c1bd2335782d5cb24ac81e2d5e6c.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
c361c1bd2335782d5cb24ac81e2d5e6c.exe
-
Size
660KB
-
MD5
b44c5540e020963aca89f3b9a96beb35
-
SHA1
14a6e46be7863db3090d81a18d4e080ac005f437
-
SHA256
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350
-
SHA512
63ffac732d6b6b469f6072efa0b4ad0ef224072418b18ed879fe914c3cb64b6714ca4948c5d1816218d611865a1f1747121e126a407acbcc038b4615f9b7fd31
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1772 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c361c1bd2335782d5cb24ac81e2d5e6c.exepid process 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c361c1bd2335782d5cb24ac81e2d5e6c.exedescription pid process target process PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe PID 1320 wrote to memory of 1772 1320 c361c1bd2335782d5cb24ac81e2d5e6c.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c361c1bd2335782d5cb24ac81e2d5e6c.exe"C:\Users\Admin\AppData\Local\Temp\c361c1bd2335782d5cb24ac81e2d5e6c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken