Analysis
-
max time kernel
97s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
31-12-2020 07:36
Static task
static1
Behavioral task
behavioral1
Sample
908c022dd787419782e3cf9eb8e05c9c.exe
Resource
win7v20201028
General
-
Target
908c022dd787419782e3cf9eb8e05c9c.exe
-
Size
474KB
-
MD5
908c022dd787419782e3cf9eb8e05c9c
-
SHA1
5cc2a59cad4424f805c073b843cb1821905ff9de
-
SHA256
f61b83f5c8c63c2074e9445599ab9dacba8ff58ddb594f434157c6deda73d317
-
SHA512
db0283305c6a586f6554009653082a0aab5f410e436216518ea95fa7d31d1eba2c09e14b95a7f03335f80e9dd387516ee15b62309004ff9dd8204669ee31bb95
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ident.me 7 ident.me -
Drops file in Windows directory 1 IoCs
Processes:
908c022dd787419782e3cf9eb8e05c9c.exedescription ioc process File opened for modification C:\Windows\explorer.exe 908c022dd787419782e3cf9eb8e05c9c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1144 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
908c022dd787419782e3cf9eb8e05c9c.exepid process 868 908c022dd787419782e3cf9eb8e05c9c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
908c022dd787419782e3cf9eb8e05c9c.exedescription pid process target process PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe PID 868 wrote to memory of 1144 868 908c022dd787419782e3cf9eb8e05c9c.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\908c022dd787419782e3cf9eb8e05c9c.exe"C:\Users\Admin\AppData\Local\Temp\908c022dd787419782e3cf9eb8e05c9c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken