Analysis Overview
SHA256
109e098ab6371e9d35e646a7b9750fd240de4d1561480e4ec6116f5e41632dfa
Threat Level: Known bad
The file 8a242c61e128f44072070948f8fa855b was found to be: Known bad.
Malicious Activity Summary
Trickbot
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-02 17:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 17:44
Reported
2024-02-02 17:47
Platform
win10v2004-20231222-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
Trickbot
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3020 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\wermgr.exe |
| PID 3020 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\wermgr.exe |
| PID 3020 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\cmd.exe |
| PID 3020 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\cmd.exe |
| PID 3020 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\wermgr.exe |
| PID 3020 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe
"C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe"
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 812
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| AR | 181.114.215.239:443 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| ZA | 41.57.156.203:443 | tcp | |
| CA | 38.110.100.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| SL | 196.216.220.211:443 | tcp | |
| IN | 103.122.228.44:443 | tcp | |
| ID | 43.252.159.63:443 | tcp |
Files
memory/3020-0-0x00000000024A0000-0x00000000024DE000-memory.dmp
memory/3020-5-0x00000000024E0000-0x000000000251A000-memory.dmp
memory/3020-4-0x0000000002460000-0x000000000249C000-memory.dmp
memory/3020-6-0x00000000024E0000-0x000000000251A000-memory.dmp
memory/3020-7-0x0000000002530000-0x0000000002531000-memory.dmp
memory/3020-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/4188-9-0x000001DB117F0000-0x000001DB117F1000-memory.dmp
memory/4188-10-0x000001DB11650000-0x000001DB11679000-memory.dmp
memory/3020-11-0x0000000002440000-0x0000000002453000-memory.dmp
memory/3020-12-0x00000000024E0000-0x000000000251A000-memory.dmp
memory/4188-14-0x000001DB11650000-0x000001DB11679000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 17:44
Reported
2024-02-02 17:47
Platform
win7-20231215-en
Max time kernel
134s
Max time network
143s
Command Line
Signatures
Trickbot
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe
"C:\Users\Admin\AppData\Local\Temp\8a242c61e128f44072070948f8fa855b.exe"
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
Network
| Country | Destination | Domain | Proto |
| CA | 38.110.100.219:443 | tcp | |
| AR | 181.114.215.239:443 | tcp | |
| KR | 119.202.8.249:443 | tcp | |
| VN | 113.160.37.196:443 | tcp | |
| ID | 43.252.159.63:443 | tcp | |
| BR | 186.225.119.170:443 | tcp |
Files
memory/2516-0-0x00000000004E0000-0x000000000051E000-memory.dmp
memory/2516-2-0x00000000004A0000-0x00000000004DC000-memory.dmp
memory/2516-5-0x0000000000620000-0x000000000065A000-memory.dmp
memory/2516-6-0x0000000000620000-0x000000000065A000-memory.dmp
memory/2516-7-0x0000000000660000-0x0000000000661000-memory.dmp
memory/2516-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2392-9-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2392-10-0x0000000000060000-0x0000000000089000-memory.dmp
memory/2516-11-0x0000000000620000-0x000000000065A000-memory.dmp
memory/2392-13-0x0000000000060000-0x0000000000089000-memory.dmp