Analysis
-
max time kernel
25s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 18:01
Behavioral task
behavioral1
Sample
e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
Resource
win7v20201028
General
-
Target
e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
-
Size
217KB
-
MD5
f8f47764f5b13c65987da4208c29a25e
-
SHA1
5a5a1a5ddacd3808435cb2db896fd0c11e0388bd
-
SHA256
489e7ef8892da96762561f945ab244100a9cc23eecb341c01f55d1e382f1a316
-
SHA512
0056c963665f57b9cafe443a9b7596e2af50ff28353d55ef9293904675eefb3f328bf1470adabcc38766733cc9177f0e7125278771200f4f0b2e6c656f36638b
Malware Config
Extracted
trickbot
2000022
mor1
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1336 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 776 wrote to memory of 1504 776 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe PID 1504 wrote to memory of 1336 1504 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-2-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1336-5-0x0000000000000000-mapping.dmp
-
memory/1336-9-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1336-10-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1504-3-0x0000000000000000-mapping.dmp
-
memory/1504-4-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1504-6-0x00000000001C0000-0x0000000000202000-memory.dmpFilesize
264KB
-
memory/1504-7-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1504-8-0x0000000000211000-0x0000000000213000-memory.dmpFilesize
8KB
-
memory/1504-11-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB