Resubmissions
18-11-2020 11:32
201118-5rrxqk18yj 1006-11-2020 15:10
201106-kxbznxg6dx 1025-10-2020 17:59
201025-zgtkw9nk7x 1024-10-2020 17:41
201024-89mfnb21be 1024-10-2020 07:18
201024-ejsr16d3q6 10Analysis
-
max time kernel
1736s -
max time network
1796s -
platform
windows7_x64 -
resource
win7 -
submitted
24-10-2020 17:41
Static task
static1
Behavioral task
behavioral1
Sample
ACT96MC98SD.bin.dll
Resource
win7
Behavioral task
behavioral2
Sample
ACT96MC98SD.bin.dll
Resource
win7
Behavioral task
behavioral3
Sample
ACT96MC98SD.bin.dll
Resource
win10
General
-
Target
ACT96MC98SD.bin.dll
-
Size
260KB
-
MD5
a7ddc63878394313d1a854e22b1c323f
-
SHA1
f4dae0a6e298a594faa76aac8f362030226fab77
-
SHA256
4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
-
SHA512
40fd700b40e52f426f4255bb7993736548f647f3a4831ee970f3128454cdabf15dc4f58c6c3a4fd635941f1703fce6acccfc355a94f7370a61649f577c553302
Malware Config
Extracted
trickbot
4294967043
ono95
45.67.231.68:443
92.62.65.163:449
186.159.8.218:449
200.116.232.186:449
36.91.87.227:449
103.76.169.213:449
181.143.186.42:449
179.127.88.41:449
103.66.10.87:449
199.38.120.77:449
208.86.162.249:449
199.38.120.90:449
-
autorunName:pwgrab
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip.anysrc.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1684 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 1892 wrote to memory of 2032 1892 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe PID 2032 wrote to memory of 1684 2032 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684