Resubmissions
18-11-2020 11:32
201118-5rrxqk18yj 1006-11-2020 15:10
201106-kxbznxg6dx 1025-10-2020 17:59
201025-zgtkw9nk7x 1024-10-2020 17:41
201024-89mfnb21be 1024-10-2020 07:18
201024-ejsr16d3q6 10Analysis
-
max time kernel
324s -
max time network
386s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 11:32
Static task
static1
Behavioral task
behavioral1
Sample
ACT96MC98SD.bin.dll
Resource
win7v20201028
General
-
Target
ACT96MC98SD.bin.dll
-
Size
260KB
-
MD5
a7ddc63878394313d1a854e22b1c323f
-
SHA1
f4dae0a6e298a594faa76aac8f362030226fab77
-
SHA256
4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
-
SHA512
40fd700b40e52f426f4255bb7993736548f647f3a4831ee970f3128454cdabf15dc4f58c6c3a4fd635941f1703fce6acccfc355a94f7370a61649f577c553302
Malware Config
Extracted
trickbot
4294967043
ono95
45.67.231.68:443
92.62.65.163:449
186.159.8.218:449
200.116.232.186:449
36.91.87.227:449
103.76.169.213:449
181.143.186.42:449
179.127.88.41:449
103.66.10.87:449
199.38.120.77:449
208.86.162.249:449
199.38.120.90:449
-
autorunName:pwgrab
Signatures
-
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/384-4-0x0000000000000000-mapping.dmp servicehost -
Dave packer 1 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral2/memory/384-4-0x0000000000000000-mapping.dmp dave -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3356 384 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe 3356 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3356 WerFault.exe Token: SeBackupPrivilege 3356 WerFault.exe Token: SeDebugPrivilege 3356 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3372 wrote to memory of 384 3372 regsvr32.exe regsvr32.exe PID 3372 wrote to memory of 384 3372 regsvr32.exe regsvr32.exe PID 3372 wrote to memory of 384 3372 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ACT96MC98SD.bin.dll2⤵PID:384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 6083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-0-0x0000000000000000-mapping.dmp
-
memory/384-1-0x0000000000610000-0x0000000000648000-memory.dmpFilesize
224KB
-
memory/384-2-0x0000000000650000-0x0000000000686000-memory.dmpFilesize
216KB
-
memory/384-4-0x0000000000000000-mapping.dmp
-
memory/3356-3-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3356-6-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB