Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 12:21
Static task
static1
Behavioral task
behavioral1
Sample
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe
-
Size
660KB
-
MD5
b44c5540e020963aca89f3b9a96beb35
-
SHA1
14a6e46be7863db3090d81a18d4e080ac005f437
-
SHA256
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350
-
SHA512
63ffac732d6b6b469f6072efa0b4ad0ef224072418b18ed879fe914c3cb64b6714ca4948c5d1816218d611865a1f1747121e126a407acbcc038b4615f9b7fd31
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1328 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exepid process 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exedescription pid process target process PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe PID 1004 wrote to memory of 1328 1004 fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe"C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken