Analysis
-
max time kernel
130s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-01-2021 14:14
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
1.exe
-
Size
596KB
-
MD5
1372de53ba47855e25ca36db13e73db2
-
SHA1
4b7846b767cfbd9e8bcbace96deaf514106104ad
-
SHA256
8ed5bfd73f941dc50914104f719d8038cf97b79e754f528c68c23ac0f512b439
-
SHA512
e713bdd5ec1a86987f07c34a9333619222cad228641175cb3d1a70fc88a34a0fd16fea91431ce46cb95949f8820d5017cdf49eafa74699dc6fabd4b0c655fb66
Malware Config
Extracted
Family
trickbot
Version
100004
Botnet
yas13
C2
103.250.70.163:443
181.196.24.6:443
103.87.25.220:443
2.179.73.140:443
118.69.133.4:443
202.62.47.109:443
14.102.109.190:443
103.78.81.5:443
116.0.54.227:443
36.94.193.167:443
194.5.179.82:443
213.235.183.78:443
103.52.47.20:449
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Windows\notepad.exe 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 60 1.exe 60 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 184 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1.exepid process 60 1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1.exedescription pid process target process PID 60 wrote to memory of 184 60 1.exe wermgr.exe PID 60 wrote to memory of 184 60 1.exe wermgr.exe PID 60 wrote to memory of 184 60 1.exe wermgr.exe PID 60 wrote to memory of 184 60 1.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken