Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-12-2020 08:56
Static task
static1
Behavioral task
behavioral1
Sample
bc4916b182234073286e830c2dc2f210.exe
Resource
win7v20201028
General
-
Target
bc4916b182234073286e830c2dc2f210.exe
-
Size
612KB
-
MD5
bc4916b182234073286e830c2dc2f210
-
SHA1
b6d54467ad522b46d5d6a58ed4fd31d2c7e68d29
-
SHA256
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
-
SHA512
b3f69478d5b30758e74fddebcc96d5354404cddbff0634fcbdc6e5bef826d23d23f8ab6b09ed55264399e35fc331077e71e2475ee9322e83735403e06e3b2c68
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 checkip.amazonaws.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3944 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bc4916b182234073286e830c2dc2f210.exepid process 1628 bc4916b182234073286e830c2dc2f210.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc4916b182234073286e830c2dc2f210.exedescription pid process target process PID 1628 wrote to memory of 3944 1628 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1628 wrote to memory of 3944 1628 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1628 wrote to memory of 3944 1628 bc4916b182234073286e830c2dc2f210.exe wermgr.exe PID 1628 wrote to memory of 3944 1628 bc4916b182234073286e830c2dc2f210.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe"C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken