Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 21:51
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
592KB
-
MD5
c338a1e442838cc95a6724f2def934b5
-
SHA1
279e903c173a2f7b34806d931b31369788cd90b9
-
SHA256
df4491307732cc8c20abfa4e86609aaef79ce847563f060bfa73b0dc8dce274a
-
SHA512
c77ba9ec89037537919192737d3cb5315b9070059c328e0d69022183dbd6d8667ab4778ffa52082d95ccb8c9412ad4ebe0f1e6eb090c3fa3cb4c920ae31440b7
Malware Config
Extracted
Family
trickbot
Version
2000013
Botnet
mor133
C2
199.38.120.91:443
199.38.121.150:443
199.38.123.58:443
208.86.162.215:443
208.86.161.113:443
208.86.162.241:443
131.153.22.145:443
62.108.35.29:443
45.89.127.118:443
185.99.2.123:443
62.108.35.36:443
45.89.127.119:443
194.5.249.216:443
185.99.2.160:443
80.85.156.116:443
86.104.194.102:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4240 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sample.exepid process 4688 sample.exe 4688 sample.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sample.exedescription pid process target process PID 4688 wrote to memory of 4240 4688 sample.exe wermgr.exe PID 4688 wrote to memory of 4240 4688 sample.exe wermgr.exe PID 4688 wrote to memory of 4240 4688 sample.exe wermgr.exe PID 4688 wrote to memory of 4240 4688 sample.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken