Analysis
-
max time kernel
30s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-02-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
m87.dll
Resource
win7v20201028
General
-
Target
m87.dll
-
Size
901KB
-
MD5
d48404abfb5c8a7bac7f9f619da899e9
-
SHA1
05acc14a076af1e2696faa5fa4e32778e55ec27f
-
SHA256
36a3edc08009fefa694124a1b09f45657496f8a1e6c0c009093f134632c27e98
-
SHA512
aad2610a41f7293133ecccc6b25a2c020c5def3356e09634e1cec77581496befb997fd8d9e6e0e37db8b9177a4542bfbfcdda9e2c30ec215f5cb50da0dcdd6ce
Malware Config
Extracted
trickbot
100012
mon87
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
187.20.217.129:449
-
autorunName:pwgrab
Signatures
-
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/1632-5-0x0000000000190000-0x00000000001C7000-memory.dmp templ_dll -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1704 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1632 1724 regsvr32.exe regsvr32.exe PID 1632 wrote to memory of 1832 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1832 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1832 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1832 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe PID 1632 wrote to memory of 1704 1632 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\m87.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\m87.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-3-0x0000000000000000-mapping.dmp
-
memory/1632-4-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1632-5-0x0000000000190000-0x00000000001C7000-memory.dmpFilesize
220KB
-
memory/1632-6-0x0000000000240000-0x0000000000283000-memory.dmpFilesize
268KB
-
memory/1632-9-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1632-8-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1704-7-0x0000000000000000-mapping.dmp
-
memory/1704-10-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1704-11-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1724-2-0x000007FEFC601000-0x000007FEFC603000-memory.dmpFilesize
8KB