Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 16:21
Static task
static1
Behavioral task
behavioral1
Sample
v.exe
Resource
win7v20201028
General
-
Target
v.exe
-
Size
474KB
-
MD5
335ef385abe7f20c5fb050fc86f01f08
-
SHA1
0403b30b649d66b004fed646426a95b4e3125d87
-
SHA256
0f9f0f158e7f7fc16503f9f04cdc337a2c8177b0b3c5bda3000a8cd4195e3c60
-
SHA512
5adb9fde1f5c45508ef4b2686c837e7e0d17aa0967bde089c290a9b250564f9c1fe3932feb5a8091001fac43a16891c56ffd760b96fee9d4879e030d258d1875
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 icanhazip.com -
Drops file in Windows directory 1 IoCs
Processes:
v.exedescription ioc process File opened for modification C:\Windows\explorer.exe v.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1664 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
v.exepid process 2044 v.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
v.exedescription pid process target process PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe PID 2044 wrote to memory of 1664 2044 v.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v.exe"C:\Users\Admin\AppData\Local\Temp\v.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken