Analysis
-
max time kernel
97s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 09:16
Static task
static1
Behavioral task
behavioral1
Sample
a83ca01d677db702c686d6b957405458.exe
Resource
win7v20201028
General
-
Target
a83ca01d677db702c686d6b957405458.exe
-
Size
668KB
-
MD5
a83ca01d677db702c686d6b957405458
-
SHA1
68ab5cec408fdfd586e54a3e11d00b7d8a49c8b4
-
SHA256
8c206ff3cf89ee0ddf05f2608ef0535b7a2c17710e6ccec34ec6439d417dab69
-
SHA512
474f52d06c8ce1e51a712f6972dabbdd3a96b1706c20d09cc5d76ac29061a253c6e4f79fcece97dfcdebabb8697d11fddb895c48be45280b6f9f5516cfa4f002
Malware Config
Extracted
trickbot
100009
mor9
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1560 wermgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a83ca01d677db702c686d6b957405458.exepid process 1640 a83ca01d677db702c686d6b957405458.exe 1640 a83ca01d677db702c686d6b957405458.exe 1640 a83ca01d677db702c686d6b957405458.exe 1640 a83ca01d677db702c686d6b957405458.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a83ca01d677db702c686d6b957405458.exedescription pid process target process PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe PID 1640 wrote to memory of 1560 1640 a83ca01d677db702c686d6b957405458.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a83ca01d677db702c686d6b957405458.exe"C:\Users\Admin\AppData\Local\Temp\a83ca01d677db702c686d6b957405458.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken