Analysis
-
max time kernel
258s -
max time network
383s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:35
Static task
static1
Behavioral task
behavioral1
Sample
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
Resource
win7v20201028
General
-
Target
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
-
Size
407KB
-
MD5
cd424ccdabd6cfac66395d687b41db6a
-
SHA1
78fe1f1f5547865f1cac31e36da5e970bbf05268
-
SHA256
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
-
SHA512
f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9
Malware Config
Extracted
trickbot
100002
tar3
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 25 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Windows\system32\cn\waptmmma.txt wermgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.execmd.exedescription pid process Token: SeDebugPrivilege 1672 wermgr.exe Token: SeDebugPrivilege 1864 cmd.exe -
Suspicious use of WriteProcessMemory 531 IoCs
Processes:
regsvr32.exeregsvr32.exewermgr.exedescription pid process target process PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 648 wrote to memory of 1280 648 regsvr32.exe regsvr32.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1280 wrote to memory of 1672 1280 regsvr32.exe wermgr.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe PID 1672 wrote to memory of 1864 1672 wermgr.exe cmd.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-0-0x0000000000000000-mapping.dmp
-
memory/1280-1-0x0000000000240000-0x0000000000278000-memory.dmpFilesize
224KB
-
memory/1280-2-0x0000000000310000-0x0000000000346000-memory.dmpFilesize
216KB
-
memory/1672-3-0x0000000000000000-mapping.dmp
-
memory/1864-4-0x0000000000000000-mapping.dmp