Analysis
-
max time kernel
132s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 19:24
Static task
static1
Behavioral task
behavioral1
Sample
superts.dll
Resource
win7v20201028
General
-
Target
superts.dll
-
Size
415KB
-
MD5
71d7040364ab0d4a514506b6d06b3b9c
-
SHA1
96901f457beba35e820983730150f2ad0dd603f5
-
SHA256
703b0b0e263ba5c02e94598941cdbef5e44fe6e0c544a4943a2ead352c95ef9a
-
SHA512
60045768f7cf9db3f0ec4c452ec4576b813c50c81f1820f30d37781de81bf01b288cbd4e44c340340624285df7fea2bdd0c86ed7842f9ee2fb55b71bb305c75f
Malware Config
Extracted
trickbot
2000023
rob2
107.191.61.39:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
216.128.130.16:443
45.79.126.97:443
45.79.212.97:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
94.140.114.188:443
172.83.155.154:443
149.56.80.31:443
46.105.84.141:443
192.210.198.6:443
51.77.124.137:443
45.89.127.70:443
185.163.47.193:443
94.140.115.34:443
78.138.98.137:443
45.86.74.111:443
-
autorunName:pwgrab
Signatures
-
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/2036-5-0x0000000000350000-0x0000000000387000-memory.dmp templ_dll -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1376 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 1152 wrote to memory of 2036 1152 regsvr32.exe regsvr32.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe PID 2036 wrote to memory of 1376 2036 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\superts.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\superts.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1152-2-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1376-6-0x0000000000000000-mapping.dmp
-
memory/1376-10-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/1376-11-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2036-3-0x0000000000000000-mapping.dmp
-
memory/2036-4-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/2036-5-0x0000000000350000-0x0000000000387000-memory.dmpFilesize
220KB
-
memory/2036-8-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2036-9-0x0000000000321000-0x0000000000323000-memory.dmpFilesize
8KB
-
memory/2036-7-0x0000000000510000-0x0000000000551000-memory.dmpFilesize
260KB
-
memory/2036-12-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB