Analysis
-
max time kernel
131s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 03:12
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
General
-
Target
sample.exe
-
Size
407KB
-
MD5
361e8f325798c47073c2f5f2f9f69aa2
-
SHA1
fa8409bcd758bbd92bc01f7961e2f844c36badc9
-
SHA256
5929445eb9941a91426eb0cc13cf918649608a1e2772d283cdc83665d82d400a
-
SHA512
26bd9330e964d9d8f53cb10dae93965954585a4e63c90574a723620bfa5258d61a7f7366a7d3336e0a10e269f69ef5447c4cfd2f665946fa11c35067fc9e9382
Malware Config
Extracted
trickbot
1000512
ono56
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1468 wermgr.exe Token: SeDebugPrivilege 1468 wermgr.exe Token: SeDebugPrivilege 1468 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
sample.exedescription pid process target process PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe PID 1836 wrote to memory of 1468 1836 sample.exe wermgr.exe