Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
202410020707c8152434894033f9c7bd510ea263mafia.exe
Resource
win7-20240903-en
General
-
Target
202410020707c8152434894033f9c7bd510ea263mafia.exe
-
Size
489KB
-
MD5
0707c8152434894033f9c7bd510ea263
-
SHA1
724a1116754c9621c90e2b2fad5e3b9a1abfa654
-
SHA256
65e911bc06a1f324cafb964e2a29cbfd37226a0d502c4ddcc846f22221fba0bf
-
SHA512
6ea7a6a2658112cc096f9039e07e26eb07aabac28ad1b64773cea542652058be015ca3381e297e9d928f296387aa5c067a05f06d7fd6fe1138a9de0c33a3c72d
-
SSDEEP
6144:V6ZlxMlN8qVY0rmGdW5boVMd3AqEiAqqhYOtRF5498DF06YjnU9ZEFv:k94vY0rPd4boQAqPGRRFK9e06BHEFv
Malware Config
Extracted
trickbot
2000033
tot154
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202410020707c8152434894033f9c7bd510ea263mafia.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2332 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31 PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31 PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31 PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31 PID 876 wrote to memory of 2096 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 32 PID 876 wrote to memory of 2096 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 32 PID 876 wrote to memory of 2096 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 32 PID 876 wrote to memory of 2096 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 32 PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31 PID 876 wrote to memory of 2332 876 202410020707c8152434894033f9c7bd510ea263mafia.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵PID:2096
-