Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-12-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
3c7a3e39984d3eba8e79fc01cb5be27a.exe
Resource
win7v20201028
General
-
Target
3c7a3e39984d3eba8e79fc01cb5be27a.exe
-
Size
612KB
-
MD5
3c7a3e39984d3eba8e79fc01cb5be27a
-
SHA1
dc9dfc77669f05bb2e8997f160f3e4b2d4ff91df
-
SHA256
696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f
-
SHA512
e5c5b6b9a03ff1ab1ff688714977e4a5b7b8704a3c5d43492a93258098b5b820dc895e6bbb9b161e33fb9050843b3878216a6f24f5fc4822c0337dae8e484304
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 ipecho.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1404 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3c7a3e39984d3eba8e79fc01cb5be27a.exepid process 3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3c7a3e39984d3eba8e79fc01cb5be27a.exedescription pid process target process PID 3576 wrote to memory of 1404 3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe wermgr.exe PID 3576 wrote to memory of 1404 3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe wermgr.exe PID 3576 wrote to memory of 1404 3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe wermgr.exe PID 3576 wrote to memory of 1404 3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7a3e39984d3eba8e79fc01cb5be27a.exe"C:\Users\Admin\AppData\Local\Temp\3c7a3e39984d3eba8e79fc01cb5be27a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken