Analysis
-
max time kernel
65s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 08:50
Static task
static1
Behavioral task
behavioral1
Sample
c844e56bd39ad5d3f3fadc5e99176cc0N.exe
Resource
win7-20240705-en
General
-
Target
c844e56bd39ad5d3f3fadc5e99176cc0N.exe
-
Size
506KB
-
MD5
c844e56bd39ad5d3f3fadc5e99176cc0
-
SHA1
876c920dfde275b2ddc92cf3e6a4f92e50ade1da
-
SHA256
a5bdc3a8cbf6f401ea415c19ae8fe352d3ce9ad65963470307bdd974e0aa1ba9
-
SHA512
235f9ef6a1209c11a6acbc124bcc9bf0c0dfc40517bc3f031424e3462de171cd218c6e7a173329026ed407003a62dc99771b1607b97244742bbd3e3d51b9528d
-
SSDEEP
6144:T4p06YZxFrAfp9NlOvTULvRf71SWZsYM+VX+bUOGcLZo3nU:UxYL2fpsvUfhxvVX+9Z0U
Malware Config
Extracted
trickbot
1000512
ono57
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c844e56bd39ad5d3f3fadc5e99176cc0N.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1452 wermgr.exe Token: SeDebugPrivilege 1452 wermgr.exe Token: SeDebugPrivilege 1452 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31 PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31 PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31 PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31 PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31 PID 2716 wrote to memory of 1452 2716 c844e56bd39ad5d3f3fadc5e99176cc0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c844e56bd39ad5d3f3fadc5e99176cc0N.exe"C:\Users\Admin\AppData\Local\Temp\c844e56bd39ad5d3f3fadc5e99176cc0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
-