Analysis
-
max time kernel
138s -
max time network
28s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 15:54
Static task
static1
Behavioral task
behavioral1
Sample
kdfjglkdfg.exe.dll
Resource
win7v20201028
General
-
Target
kdfjglkdfg.exe.dll
-
Size
407KB
-
MD5
cd424ccdabd6cfac66395d687b41db6a
-
SHA1
78fe1f1f5547865f1cac31e36da5e970bbf05268
-
SHA256
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
-
SHA512
f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9
Malware Config
Extracted
trickbot
100002
tar3
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
-
autorunName:pwgrab
Signatures
-
Dave packer 2 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral1/memory/2004-6-0x0000000000000000-mapping.dmp dave behavioral1/memory/2004-5-0x0000000000000000-mapping.dmp dave -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1140 2004 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1140 WerFault.exe 1140 WerFault.exe 1140 WerFault.exe 1140 WerFault.exe 1140 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1140 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1140 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 2004 484 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1140 2004 regsvr32.exe WerFault.exe PID 2004 wrote to memory of 1140 2004 regsvr32.exe WerFault.exe PID 2004 wrote to memory of 1140 2004 regsvr32.exe WerFault.exe PID 2004 wrote to memory of 1140 2004 regsvr32.exe WerFault.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 3443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1140-3-0x0000000000000000-mapping.dmp
-
memory/1140-4-0x0000000002000000-0x0000000002011000-memory.dmpFilesize
68KB
-
memory/1140-7-0x0000000002750000-0x0000000002761000-memory.dmpFilesize
68KB
-
memory/2004-2-0x00000000003A0000-0x00000000003D6000-memory.dmpFilesize
216KB
-
memory/2004-1-0x0000000000210000-0x0000000000248000-memory.dmpFilesize
224KB
-
memory/2004-0-0x0000000000000000-mapping.dmp
-
memory/2004-6-0x0000000000000000-mapping.dmp
-
memory/2004-5-0x0000000000000000-mapping.dmp