Resubmissions
18-11-2020 11:32
201118-5rrxqk18yj 1006-11-2020 15:10
201106-kxbznxg6dx 1025-10-2020 17:59
201025-zgtkw9nk7x 1024-10-2020 17:41
201024-89mfnb21be 1024-10-2020 07:18
201024-ejsr16d3q6 10Analysis
-
max time kernel
595s -
max time network
597s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ACT96MC98SD.bin.dll
Resource
win7v20201028
General
-
Target
ACT96MC98SD.bin.dll
-
Size
260KB
-
MD5
a7ddc63878394313d1a854e22b1c323f
-
SHA1
f4dae0a6e298a594faa76aac8f362030226fab77
-
SHA256
4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
-
SHA512
40fd700b40e52f426f4255bb7993736548f647f3a4831ee970f3128454cdabf15dc4f58c6c3a4fd635941f1703fce6acccfc355a94f7370a61649f577c553302
Malware Config
Extracted
trickbot
4294967043
ono95
45.67.231.68:443
92.62.65.163:449
186.159.8.218:449
200.116.232.186:449
36.91.87.227:449
103.76.169.213:449
181.143.186.42:449
179.127.88.41:449
103.66.10.87:449
199.38.120.77:449
208.86.162.249:449
199.38.120.90:449
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1700 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1264 1880 regsvr32.exe regsvr32.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe PID 1264 wrote to memory of 1700 1264 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700