Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:54
Static task
static1
Behavioral task
behavioral1
Sample
kdfjglkdfg.exe.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
kdfjglkdfg.exe.dll
-
Size
407KB
-
MD5
cd424ccdabd6cfac66395d687b41db6a
-
SHA1
78fe1f1f5547865f1cac31e36da5e970bbf05268
-
SHA256
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
-
SHA512
f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9
Malware Config
Extracted
Family
trickbot
Version
100002
Botnet
tar3
C2
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1672 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 636 wrote to memory of 1676 636 regsvr32.exe regsvr32.exe PID 636 wrote to memory of 1676 636 regsvr32.exe regsvr32.exe PID 636 wrote to memory of 1676 636 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1672 1676 regsvr32.exe wermgr.exe PID 1676 wrote to memory of 1672 1676 regsvr32.exe wermgr.exe PID 1676 wrote to memory of 1672 1676 regsvr32.exe wermgr.exe PID 1676 wrote to memory of 1672 1676 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672