Analysis
-
max time kernel
79s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-12-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
properties.dll
Resource
win7v20201028
General
-
Target
properties.dll
-
Size
324KB
-
MD5
1e4f3ce667664c43b54a953e285ca63a
-
SHA1
c8379dfafc1cde7b9f9fe7f0e0a02085c9d329cf
-
SHA256
08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d
-
SHA512
2b8f1d510b2e5880161c91ebe68a79291e0671d8aae408099217d09d7fbf21c4a0eff2a922fca00d2b174f936866329de580fe00d9a260740ec4a363d436f3e9
Malware Config
Extracted
trickbot
100007
rob27
41.243.29.182:449
196.45.140.146:449
103.87.25.220:443
103.98.129.222:449
103.87.25.220:449
103.65.196.44:449
103.65.195.95:449
103.61.101.11:449
103.61.100.131:449
103.150.68.124:449
103.137.81.206:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/1252-3-0x00000000001D0000-0x000000000020A000-memory.dmp templ_dll behavioral1/memory/1252-4-0x0000000000380000-0x00000000003B8000-memory.dmp templ_dll -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 myexternalip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1872 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1824 wrote to memory of 1252 1824 regsvr32.exe regsvr32.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe PID 1252 wrote to memory of 1872 1252 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\properties.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\properties.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872