Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240903-en
General
-
Target
sample.exe
-
Size
592KB
-
MD5
c338a1e442838cc95a6724f2def934b5
-
SHA1
279e903c173a2f7b34806d931b31369788cd90b9
-
SHA256
df4491307732cc8c20abfa4e86609aaef79ce847563f060bfa73b0dc8dce274a
-
SHA512
c77ba9ec89037537919192737d3cb5315b9070059c328e0d69022183dbd6d8667ab4778ffa52082d95ccb8c9412ad4ebe0f1e6eb090c3fa3cb4c920ae31440b7
-
SSDEEP
12288:G+s6qIJMaGcNT+VGt0i5wRlg5QBBslNweXOYDHUDPXi0pqwK7bCFQOjV:VqIJMdCOYDHUDPinCyC
Malware Config
Extracted
trickbot
2000013
mor133
199.38.120.91:443
199.38.121.150:443
199.38.123.58:443
208.86.162.215:443
208.86.161.113:443
208.86.162.241:443
131.153.22.145:443
62.108.35.29:443
45.89.127.118:443
185.99.2.123:443
62.108.35.36:443
45.89.127.119:443
194.5.249.216:443
185.99.2.160:443
80.85.156.116:443
86.104.194.102:443
-
autorunName:pwgrab
Signatures
-
Trickbot family
-
Program crash 1 IoCs
pid pid_target Process procid_target 4304 4276 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3788 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4276 sample.exe 4276 sample.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4276 wrote to memory of 3788 4276 sample.exe 91 PID 4276 wrote to memory of 3788 4276 sample.exe 91 PID 4276 wrote to memory of 3788 4276 sample.exe 91 PID 4276 wrote to memory of 3788 4276 sample.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 5882⤵
- Program crash
PID:4304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4276 -ip 42761⤵PID:640