Analysis
-
max time kernel
78s -
max time network
130s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 17:04
Static task
static1
Behavioral task
behavioral1
Sample
hlhgk.exe
Resource
win7v20201028
General
-
Target
hlhgk.exe
-
Size
474KB
-
MD5
b2e58ff4e1121fff68558f1d5a35e50c
-
SHA1
2ea49fc43c51268a20def29f473184e0823f8c8b
-
SHA256
5cff92f1ea0e23cb1dd493c35d97621d051150426620caf0f674a172c103ce98
-
SHA512
39f8440dc1e6e8a0090504930365050cf81470a7408a996b6caf2cd6783b5822d9878902bd9d7e6e8e23f1e93f0ce487b96017a776f62139bfb4cd2d366c6cd3
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ident.me 8 ident.me -
Drops file in Windows directory 1 IoCs
Processes:
hlhgk.exedescription ioc process File opened for modification C:\Windows\explorer.exe hlhgk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1188 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hlhgk.exepid process 596 hlhgk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
hlhgk.exedescription pid process target process PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe PID 596 wrote to memory of 1188 596 hlhgk.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hlhgk.exe"C:\Users\Admin\AppData\Local\Temp\hlhgk.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken