Overview
overview
10Static
static
2021021216...in.dll
windows7_x64
12021021216...in.dll
windows10_x64
12021021216...in.dll
windows7_x64
12021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
12021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
102021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
102021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
102021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
102021021216...in.dll
windows10_x64
102021021216...in.dll
windows7_x64
12021021216...in.dll
windows10_x64
10Analysis
-
max time kernel
81s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-02-2021 19:50
Static task
static1
Behavioral task
behavioral1
Sample
202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.bin.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.bin.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.bin.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.bin.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.bin.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.bin.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.bin.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.bin.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.bin.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.bin.dll
Resource
win7v20201028
General
-
Target
202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll
-
Size
603KB
-
MD5
0da0dabe99b1df919b6fd27d803db851
-
SHA1
9b4c420185069f81ba887cd38feee498d2c3f1d6
-
SHA256
4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c
-
SHA512
6bcbcaed03b99438a25efec6492153db82b5bbcef91a892abacbe5dc2ac9d78e89e2a3104ca411dffe242f6a3ead752d824cf054a7086a30039755b747400b03
Malware Config
Extracted
trickbot
100011
mon44
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
-
autorunName:pwgrab
Signatures
-
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral4/memory/1180-4-0x0000000002F10000-0x0000000002F46000-memory.dmp templ_dll -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 204 wermgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1056 wrote to memory of 1180 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 1180 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 1180 1056 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1840 1180 rundll32.exe wermgr.exe PID 1180 wrote to memory of 1840 1180 rundll32.exe wermgr.exe PID 1180 wrote to memory of 204 1180 rundll32.exe wermgr.exe PID 1180 wrote to memory of 204 1180 rundll32.exe wermgr.exe PID 1180 wrote to memory of 204 1180 rundll32.exe wermgr.exe PID 1180 wrote to memory of 204 1180 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/204-3-0x0000000000000000-mapping.dmp
-
memory/204-8-0x000001C395390000-0x000001C3953B7000-memory.dmpFilesize
156KB
-
memory/204-9-0x000001C3954A0000-0x000001C3954A1000-memory.dmpFilesize
4KB
-
memory/1180-2-0x0000000000000000-mapping.dmp
-
memory/1180-4-0x0000000002F10000-0x0000000002F46000-memory.dmpFilesize
216KB
-
memory/1180-6-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/1180-5-0x00000000048E0000-0x0000000004921000-memory.dmpFilesize
260KB
-
memory/1180-7-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB