Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
10-07-2020 17:52
Static task
static1
Behavioral task
behavioral1
Sample
update.dll
Resource
win7
General
-
Target
update.dll
-
Size
678KB
-
MD5
2d44a73570a9cc3a876b6f913ec01a04
-
SHA1
91040a0b6f0eb2018955f9c9652ac8e4e77efa4e
-
SHA256
b22dc5d5b64b027c3912d1cf9e890b4e7c007cee2e8b46cbbd4676758142d0fe
-
SHA512
82350f1ecf985279d62b2b2b60d952b7f09908001c9c95684a361d65b294209564163cd4e3511c2af288f812c84b61eba518084040109b8ed01e29192e82b55d
Malware Config
Extracted
trickbot
1000512
chil65
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 2832 wrote to memory of 3368 2832 rundll32.exe wermgr.exe PID 2832 wrote to memory of 3368 2832 rundll32.exe wermgr.exe PID 2832 wrote to memory of 3368 2832 rundll32.exe wermgr.exe PID 2832 wrote to memory of 3368 2832 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3368 wermgr.exe Token: SeDebugPrivilege 3368 wermgr.exe Token: SeDebugPrivilege 3368 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/2832-1-0x0000000003340000-0x000000000336E000-memory.dmp templ_dll behavioral2/memory/2832-2-0x0000000004C20000-0x0000000004C4D000-memory.dmp templ_dll
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken