Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
01-07-2020 01:13
Static task
static1
Behavioral task
behavioral1
Sample
update.dll
Resource
win7
General
-
Target
update.dll
-
Size
667KB
-
MD5
9985e30d0c6a85362f52ce76527f4012
-
SHA1
330f2e36c6543bd5b17580dcdbf333e87cd92a74
-
SHA256
cb1ef8c3a4792e314a4a22711c8a3fd359d24f3c154cd933f756c812713186a5
-
SHA512
881f68d05bdc1d9739c19d3cba8cf6d26f85cfc7371752603826afcf6bc76957abec3aff6ffa977374756487a8128225f0602e89098bdfc2312927a6b72645e7
Malware Config
Extracted
trickbot
1000512
chil52
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3008 wrote to memory of 3028 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3028 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3028 3008 rundll32.exe rundll32.exe PID 3028 wrote to memory of 3904 3028 rundll32.exe wermgr.exe PID 3028 wrote to memory of 3904 3028 rundll32.exe wermgr.exe PID 3028 wrote to memory of 3904 3028 rundll32.exe wermgr.exe PID 3028 wrote to memory of 3904 3028 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3904 wermgr.exe Token: SeDebugPrivilege 3904 wermgr.exe Token: SeDebugPrivilege 3904 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/3028-1-0x00000000044D0000-0x00000000044FE000-memory.dmp templ_dll behavioral2/memory/3028-2-0x0000000010000000-0x000000001002D000-memory.dmp templ_dll
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken