Analysis
-
max time kernel
112s -
max time network
23s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 07:10
Static task
static1
Behavioral task
behavioral1
Sample
2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll
Resource
win7
General
-
Target
2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll
-
Size
678KB
-
MD5
e322b2f7ccc5766cdbecc9966eed8259
-
SHA1
15c8d99d0c68a33e36e9e0ec3d6b1eb7912173ef
-
SHA256
67a402b5426a99f38e38a45bb44edebcf44032ff39ca38178b7d42b6934fefa4
-
SHA512
23b280a0fe918c029b3edf4fb72c52ad7d87cad2f5ca17c30bff430fadaf83375705419777fd0ff1a8ff1e39138002c78ea77ef6c6d22ba9aa67e38d0635b8f1
Malware Config
Extracted
trickbot
1000512
chil65
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1488 1424 rundll32.exe rundll32.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe PID 1488 wrote to memory of 284 1488 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 284 wermgr.exe Token: SeDebugPrivilege 284 wermgr.exe Token: SeDebugPrivilege 284 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/1488-1-0x00000000001F0000-0x000000000021E000-memory.dmp templ_dll behavioral1/memory/1488-2-0x00000000002C0000-0x00000000002ED000-memory.dmp templ_dll
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:284