Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 08:18
Static task
static1
Behavioral task
behavioral1
Sample
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe
-
Size
660KB
-
MD5
3ba7d3dbc17ce640e0bb3dd5f989169b
-
SHA1
84ee0b6e02339f1deb33d75693551db444923ba8
-
SHA256
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
-
SHA512
3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3688 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exepid process 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exedescription pid process target process PID 3324 wrote to memory of 3688 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe wermgr.exe PID 3324 wrote to memory of 3688 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe wermgr.exe PID 3324 wrote to memory of 3688 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe wermgr.exe PID 3324 wrote to memory of 3688 3324 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe"C:\Users\Admin\AppData\Local\Temp\52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken