Resubmissions
18-11-2020 11:32
201118-5rrxqk18yj 1006-11-2020 15:10
201106-kxbznxg6dx 1025-10-2020 17:59
201025-zgtkw9nk7x 1024-10-2020 17:41
201024-89mfnb21be 1024-10-2020 07:18
201024-ejsr16d3q6 10Analysis
-
max time kernel
316s -
max time network
376s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ACT96MC98SD.bin.dll
Resource
win7v20201028
General
-
Target
ACT96MC98SD.bin.dll
-
Size
260KB
-
MD5
a7ddc63878394313d1a854e22b1c323f
-
SHA1
f4dae0a6e298a594faa76aac8f362030226fab77
-
SHA256
4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
-
SHA512
40fd700b40e52f426f4255bb7993736548f647f3a4831ee970f3128454cdabf15dc4f58c6c3a4fd635941f1703fce6acccfc355a94f7370a61649f577c553302
Malware Config
Extracted
trickbot
4294967043
ono95
45.67.231.68:443
92.62.65.163:449
186.159.8.218:449
200.116.232.186:449
36.91.87.227:449
103.76.169.213:449
181.143.186.42:449
179.127.88.41:449
103.66.10.87:449
199.38.120.77:449
208.86.162.249:449
199.38.120.90:449
-
autorunName:pwgrab
Signatures
-
Dave packer 1 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral2/memory/4884-4-0x0000000000000000-mapping.dmp dave -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4260 4884 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe 4260 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4260 WerFault.exe Token: SeBackupPrivilege 4260 WerFault.exe Token: SeDebugPrivilege 4260 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4756 wrote to memory of 4884 4756 regsvr32.exe regsvr32.exe PID 4756 wrote to memory of 4884 4756 regsvr32.exe regsvr32.exe PID 4756 wrote to memory of 4884 4756 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 6083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4260-3-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/4260-5-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/4884-0-0x0000000000000000-mapping.dmp
-
memory/4884-1-0x0000000000230000-0x0000000000268000-memory.dmpFilesize
224KB
-
memory/4884-2-0x0000000000270000-0x00000000002A6000-memory.dmpFilesize
216KB
-
memory/4884-4-0x0000000000000000-mapping.dmp