Resubmissions
23-11-2020 11:51
201123-ypblgj22k2 1020-11-2020 11:47
201120-y2cng92bq6 1020-11-2020 11:44
201120-5yd27gn712 10Analysis
-
max time kernel
64s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 11:44
Static task
static1
General
-
Target
trick.dll
-
Size
272KB
-
MD5
5f7b5a98f75f4aa550e4368eb6dc9733
-
SHA1
d835a309e249f5d526529b9a28ed138b1bcfd40b
-
SHA256
c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a
-
SHA512
167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac
Malware Config
Extracted
Family
trickbot
Version
100003
Botnet
rob7
C2
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.amazonaws.com -
Drops file in Windows directory 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\notepad.exe regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1688 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1900 wrote to memory of 1344 1900 regsvr32.exe regsvr32.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe PID 1344 wrote to memory of 1688 1344 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\trick.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\trick.dll2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1344-0-0x0000000000000000-mapping.dmp
-
memory/1344-1-0x00000000002E0000-0x000000000031A000-memory.dmpFilesize
232KB
-
memory/1344-2-0x0000000001CD0000-0x0000000001D08000-memory.dmpFilesize
224KB
-
memory/1344-3-0x0000000001E40000-0x0000000001E76000-memory.dmpFilesize
216KB
-
memory/1688-4-0x0000000000000000-mapping.dmp