Analysis
-
max time kernel
112s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 09:16
Static task
static1
Behavioral task
behavioral1
Sample
868f654ed6c48d909205d122ce8cd06b.exe
Resource
win7v20201028
General
-
Target
868f654ed6c48d909205d122ce8cd06b.exe
-
Size
668KB
-
MD5
868f654ed6c48d909205d122ce8cd06b
-
SHA1
d56cb321d3da67570e46ac8eaa8ee4a002284390
-
SHA256
75ef968283165b8a4fc163a383e2b28a210544fc10c05c914141f36c747ed23e
-
SHA512
ecd6315982d791f1fe1ae9956121662256656fdd8d4418199a05f3db6f747e94a390403a7b17afd8908878fa8aa57763de1993f0698a980d9d4b97ffa234ae43
Malware Config
Extracted
trickbot
100009
mor9
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 188 wermgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
868f654ed6c48d909205d122ce8cd06b.exepid process 508 868f654ed6c48d909205d122ce8cd06b.exe 508 868f654ed6c48d909205d122ce8cd06b.exe 508 868f654ed6c48d909205d122ce8cd06b.exe 508 868f654ed6c48d909205d122ce8cd06b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
868f654ed6c48d909205d122ce8cd06b.exedescription pid process target process PID 508 wrote to memory of 188 508 868f654ed6c48d909205d122ce8cd06b.exe wermgr.exe PID 508 wrote to memory of 188 508 868f654ed6c48d909205d122ce8cd06b.exe wermgr.exe PID 508 wrote to memory of 188 508 868f654ed6c48d909205d122ce8cd06b.exe wermgr.exe PID 508 wrote to memory of 188 508 868f654ed6c48d909205d122ce8cd06b.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\868f654ed6c48d909205d122ce8cd06b.exe"C:\Users\Admin\AppData\Local\Temp\868f654ed6c48d909205d122ce8cd06b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken