Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20241010-en
General
-
Target
123.exe
-
Size
676KB
-
MD5
ab0942e4e1a30a52eb28a2338cfc9eb7
-
SHA1
05b153cea47c2f9ee31d645d967ad54eb50ef9a9
-
SHA256
b465cb3eec5644b9e0898bff7cf05a28f131394acfd5674d55c78813ca9b111c
-
SHA512
fc6579402efbc49ca3d33b3a1de20d72387a4236ef494f447095410f47225d5be9d3463b23de411c4f357e84e1d205cdd0c0a2328f693353e16385b0e9aa81ce
-
SSDEEP
12288:FacEfn98kB7xGEHuNACiMFL6hwsrwacEAf9n4vUDRtILD+lD7:Ic8n3fhhwGctnRYalP
Malware Config
Extracted
trickbot
1000514
mor124
51.89.163.40:443
89.223.126.186:443
45.67.231.68:443
148.251.185.165:443
194.87.110.144:443
213.32.84.27:443
185.234.72.35:443
45.89.125.148:443
195.123.240.104:443
185.99.2.243:443
5.182.211.223:443
195.123.240.113:443
85.204.116.173:443
5.152.210.188:443
103.36.48.103:449
36.94.33.102:449
36.91.87.227:449
177.190.69.162:449
103.76.169.213:449
179.97.246.23:449
200.24.67.161:449
181.143.186.42:449
190.99.97.42:449
179.127.88.41:449
117.252.214.138:449
117.222.63.145:449
45.224.213.234:449
45.237.241.97:449
125.165.20.104:449
-
autorunName:pwgrab
Signatures
-
Trickbot family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3284 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 432 123.exe 432 123.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 432 wrote to memory of 3284 432 123.exe 90 PID 432 wrote to memory of 3284 432 123.exe 90 PID 432 wrote to memory of 3284 432 123.exe 90 PID 432 wrote to memory of 3284 432 123.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-