Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
202410020707c8152434894033f9c7bd510ea263mafia.exe
Resource
win7-20240903-en
General
-
Target
202410020707c8152434894033f9c7bd510ea263mafia.exe
-
Size
489KB
-
MD5
0707c8152434894033f9c7bd510ea263
-
SHA1
724a1116754c9621c90e2b2fad5e3b9a1abfa654
-
SHA256
65e911bc06a1f324cafb964e2a29cbfd37226a0d502c4ddcc846f22221fba0bf
-
SHA512
6ea7a6a2658112cc096f9039e07e26eb07aabac28ad1b64773cea542652058be015ca3381e297e9d928f296387aa5c067a05f06d7fd6fe1138a9de0c33a3c72d
-
SSDEEP
6144:V6ZlxMlN8qVY0rmGdW5boVMd3AqEiAqqhYOtRF5498DF06YjnU9ZEFv:k94vY0rPd4boQAqPGRRFK9e06BHEFv
Malware Config
Extracted
trickbot
2000033
tot154
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
202410020707c8152434894033f9c7bd510ea263mafia.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202410020707c8152434894033f9c7bd510ea263mafia.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid Process Token: SeDebugPrivilege 1488 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
202410020707c8152434894033f9c7bd510ea263mafia.exedescription pid Process procid_target PID 824 wrote to memory of 1488 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 82 PID 824 wrote to memory of 1488 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 82 PID 824 wrote to memory of 4480 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 83 PID 824 wrote to memory of 4480 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 83 PID 824 wrote to memory of 1488 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 82 PID 824 wrote to memory of 1488 824 202410020707c8152434894033f9c7bd510ea263mafia.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵PID:4480
-