Analysis
-
max time kernel
113s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
b604247ade575ac39bc1597c9bdc3164.exe
Resource
win7v20201028
General
-
Target
b604247ade575ac39bc1597c9bdc3164.exe
-
Size
898KB
-
MD5
b604247ade575ac39bc1597c9bdc3164
-
SHA1
bb678d0aabb6200092bfb60234c15d46b7b9ab55
-
SHA256
7f0f65f78d6fe0a0e7eb8771be51e8b3cf86a5bef749eafe8d56d99b13cdc51a
-
SHA512
e2ead1d0d6c7a86b9cb41a524bfb656264336adf4244fdbe6b54e340958b4aec48afae26f6b429beaa6ba0855f8d246f4f869b9a113cd5a2f536e18ed58904fe
Malware Config
Extracted
trickbot
100010
rob35
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3868 created 3168 3868 WerFault.exe cmd.exe -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 19 3168 cmd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3868 3168 WerFault.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe 3868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3168 cmd.exe Token: SeDebugPrivilege 3868 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b604247ade575ac39bc1597c9bdc3164.exedescription pid process target process PID 4700 wrote to memory of 3168 4700 b604247ade575ac39bc1597c9bdc3164.exe cmd.exe PID 4700 wrote to memory of 3168 4700 b604247ade575ac39bc1597c9bdc3164.exe cmd.exe PID 4700 wrote to memory of 3168 4700 b604247ade575ac39bc1597c9bdc3164.exe cmd.exe PID 4700 wrote to memory of 3168 4700 b604247ade575ac39bc1597c9bdc3164.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b604247ade575ac39bc1597c9bdc3164.exe"C:\Users\Admin\AppData\Local\Temp\b604247ade575ac39bc1597c9bdc3164.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3168 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3168 -s 9323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868