Analysis
-
max time kernel
360s -
max time network
432s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 11:35
Static task
static1
Behavioral task
behavioral1
Sample
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
Resource
win7v20201028
General
-
Target
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
-
Size
407KB
-
MD5
cd424ccdabd6cfac66395d687b41db6a
-
SHA1
78fe1f1f5547865f1cac31e36da5e970bbf05268
-
SHA256
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
-
SHA512
f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9
Malware Config
Extracted
trickbot
100002
tar3
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 ipecho.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 448 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4796 wrote to memory of 4936 4796 regsvr32.exe regsvr32.exe PID 4796 wrote to memory of 4936 4796 regsvr32.exe regsvr32.exe PID 4796 wrote to memory of 4936 4796 regsvr32.exe regsvr32.exe PID 4936 wrote to memory of 448 4936 regsvr32.exe wermgr.exe PID 4936 wrote to memory of 448 4936 regsvr32.exe wermgr.exe PID 4936 wrote to memory of 448 4936 regsvr32.exe wermgr.exe PID 4936 wrote to memory of 448 4936 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken