Analysis
-
max time kernel
285s -
max time network
297s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 02:15
Static task
static1
General
-
Target
sfc8b4.bin.exe
-
Size
788KB
-
MD5
a5a28b55cd644c7b83b4641c4fdbf3a5
-
SHA1
772851debc5ef85a750577ebbae3cf3592c0b3ce
-
SHA256
58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
-
SHA512
72ab2ba476428714985da8d51d4a65dee188df05310202b49d7f19645bd316266a9744343d22482d45b7bdd18520395aefb5f5eab16f39633cadac675bbf5695
Malware Config
Extracted
Family
trickbot
Version
2000014
Botnet
mor137
C2
103.127.165.250:449
103.109.78.174:449
199.38.120.89:449
103.206.128.121:449
199.38.120.91:443
199.38.121.150:443
199.38.123.58:443
208.86.162.215:443
208.86.161.113:443
208.86.162.241:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2232 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sfc8b4.bin.exepid process 4752 sfc8b4.bin.exe 4752 sfc8b4.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sfc8b4.bin.exedescription pid process target process PID 4752 wrote to memory of 2232 4752 sfc8b4.bin.exe wermgr.exe PID 4752 wrote to memory of 2232 4752 sfc8b4.bin.exe wermgr.exe PID 4752 wrote to memory of 2232 4752 sfc8b4.bin.exe wermgr.exe PID 4752 wrote to memory of 2232 4752 sfc8b4.bin.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sfc8b4.bin.exe"C:\Users\Admin\AppData\Local\Temp\sfc8b4.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232