Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 21:51
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
General
-
Target
sample.exe
-
Size
284KB
-
MD5
99b81672c6ec04e7e6e6063b40d9127c
-
SHA1
2f29fb6c87fd77f2ff5df3312e0c0667b76af3cf
-
SHA256
447e9c417b7c9cf6e03086ca1da31a718e5159f454bf91efad09f240572db967
-
SHA512
b0e877ed117457a8a4458816309c8e68a911e0b6d17d449730e09beec84174abd3b97493dcea6b3dc55617471797371d4d6cf84c58f117b8bf826da0349d3e8f
Malware Config
Extracted
trickbot
1000508
yas31
164.132.255.19:443
188.119.113.114:443
176.119.159.147:443
51.254.164.243:443
178.156.202.251:443
185.234.72.24:443
194.5.250.52:443
217.12.209.244:443
185.99.2.123:443
185.198.57.75:443
93.189.42.81:443
148.251.185.186:443
79.137.101.2:443
51.89.115.121:443
91.200.100.84:443
194.5.250.69:443
185.14.30.45:443
185.99.2.142:443
107.175.133.162:443
5.196.247.14:443
190.214.13.2:449
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
202.29.215.114:449
171.100.142.238:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
103.227.147.82:449
96.9.77.56:449
103.5.231.188:449
110.93.15.98:449
200.171.101.169:449
-
autorunName:pwgrab
Signatures
-
Dave packer 1 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral1/memory/800-2-0x0000000000260000-0x0000000000292000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
sample.exepid process 800 sample.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1388 wermgr.exe Token: SeDebugPrivilege 1388 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
sample.exedescription pid process target process PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe PID 800 wrote to memory of 1388 800 sample.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken