Analysis
-
max time kernel
112s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-12-2020 17:04
Static task
static1
Behavioral task
behavioral1
Sample
medgcbsgilmy.exe
Resource
win7v20201028
General
-
Target
medgcbsgilmy.exe
-
Size
615KB
-
MD5
4eb56d76a902ddcfa7c8b056de620838
-
SHA1
04da6acc5b635a8005b47912bf141c992c1aab61
-
SHA256
0f252d0b4a20555653ca22dcc8141dfeca1091d8dadbb5c98f2c7b3884ee0009
-
SHA512
5e330fa04634fc0a6e33f36b908d17786fd262d959def315a520b7d34b2ad396c7881c407a328721387c8fb5e71c7c3f570fcd6310d83c874ab51d376869bb11
Malware Config
Extracted
trickbot
100008
mor6
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ident.me 7 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1676 wermgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
medgcbsgilmy.exepid process 1320 medgcbsgilmy.exe 1320 medgcbsgilmy.exe 1320 medgcbsgilmy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
medgcbsgilmy.exedescription pid process target process PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe PID 1320 wrote to memory of 1676 1320 medgcbsgilmy.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\medgcbsgilmy.exe"C:\Users\Admin\AppData\Local\Temp\medgcbsgilmy.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken