Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 08:56
Static task
static1
Behavioral task
behavioral1
Sample
bc4916b182234073286e830c2dc2f210.exe
Resource
win7v20201028
General
-
Target
bc4916b182234073286e830c2dc2f210.exe
-
Size
612KB
-
MD5
bc4916b182234073286e830c2dc2f210
-
SHA1
b6d54467ad522b46d5d6a58ed4fd31d2c7e68d29
-
SHA256
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
-
SHA512
b3f69478d5b30758e74fddebcc96d5354404cddbff0634fcbdc6e5bef826d23d23f8ab6b09ed55264399e35fc331077e71e2475ee9322e83735403e06e3b2c68
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1616 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bc4916b182234073286e830c2dc2f210.exepid process 1824 bc4916b182234073286e830c2dc2f210.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bc4916b182234073286e830c2dc2f210.exedescription pid process target process PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1824 wrote to memory of 1616 1824 bc4916b182234073286e830c2dc2f210.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe"C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-5-0x0000000000000000-mapping.dmp
-
memory/1824-4-0x0000000001E50000-0x0000000001E8C000-memory.dmpFilesize
240KB
-
memory/1824-6-0x0000000000240000-0x0000000000244000-memory.dmpFilesize
16KB
-
memory/1824-7-0x0000000002950000-0x0000000002954000-memory.dmpFilesize
16KB