Analysis
-
max time kernel
107s -
max time network
105s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 09:18
Static task
static1
Behavioral task
behavioral1
Sample
c252603232987121f642be93e9e39348.exe
Resource
win7v20201028
General
-
Target
c252603232987121f642be93e9e39348.exe
-
Size
660KB
-
MD5
c252603232987121f642be93e9e39348
-
SHA1
9a06574b7f9f732cf6265fe0aff4c133c1cb8314
-
SHA256
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
-
SHA512
70630a8d2c467a6fed99443da2a776c67b6f819c58f5c77d6af8e441a53c891eb169c27a5ee4b5f799d3d51df922d9688d1f4edd55aa6b094d1422291681dc7e
Malware Config
Extracted
trickbot
100003
tar3
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1676 wermgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
c252603232987121f642be93e9e39348.exepid process 1852 c252603232987121f642be93e9e39348.exe 1852 c252603232987121f642be93e9e39348.exe 1852 c252603232987121f642be93e9e39348.exe 1852 c252603232987121f642be93e9e39348.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c252603232987121f642be93e9e39348.exedescription pid process target process PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe PID 1852 wrote to memory of 1676 1852 c252603232987121f642be93e9e39348.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c252603232987121f642be93e9e39348.exe"C:\Users\Admin\AppData\Local\Temp\c252603232987121f642be93e9e39348.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676