Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 19:22
Static task
static1
Behavioral task
behavioral1
Sample
update.dll
Resource
win7v200430
General
-
Target
update.dll
-
Size
548KB
-
MD5
5ae59237bb50ddcf907b25b6952da9c8
-
SHA1
1e25e6b4b7acdd309ae2176c4164acc4f3300b91
-
SHA256
95219d7277efae8024c40d481e120b7c70f8c73f361574752c62ffe789346c3e
-
SHA512
24e33d5f58f54f760782060a2fc06fea2f769d28031cf626d45910cbbaf4838e77724a3d8ca317d0d2424186066bf2714b706a60bb3054018f2b31db53957c75
Malware Config
Extracted
trickbot
1000512
chil50
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3672 wrote to memory of 3056 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 3056 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 3056 3672 rundll32.exe rundll32.exe PID 3056 wrote to memory of 3160 3056 rundll32.exe wermgr.exe PID 3056 wrote to memory of 3160 3056 rundll32.exe wermgr.exe PID 3056 wrote to memory of 3160 3056 rundll32.exe wermgr.exe PID 3056 wrote to memory of 3160 3056 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3160 wermgr.exe Token: SeDebugPrivilege 3160 wermgr.exe Token: SeDebugPrivilege 3160 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/3056-1-0x0000000000700000-0x000000000072E000-memory.dmp templ_dll behavioral2/memory/3056-2-0x0000000000730000-0x000000000075D000-memory.dmp templ_dll -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken