Analysis
-
max time kernel
25s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
m87.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
m87.dll
-
Size
901KB
-
MD5
d48404abfb5c8a7bac7f9f619da899e9
-
SHA1
05acc14a076af1e2696faa5fa4e32778e55ec27f
-
SHA256
36a3edc08009fefa694124a1b09f45657496f8a1e6c0c009093f134632c27e98
-
SHA512
aad2610a41f7293133ecccc6b25a2c020c5def3356e09634e1cec77581496befb997fd8d9e6e0e37db8b9177a4542bfbfcdda9e2c30ec215f5cb50da0dcdd6ce
Malware Config
Signatures
-
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/1892-3-0x00000000004D0000-0x0000000000507000-memory.dmp templ_dll -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2144 1892 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2144 WerFault.exe Token: SeBackupPrivilege 2144 WerFault.exe Token: SeDebugPrivilege 2144 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 540 wrote to memory of 1892 540 regsvr32.exe regsvr32.exe PID 540 wrote to memory of 1892 540 regsvr32.exe regsvr32.exe PID 540 wrote to memory of 1892 540 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\m87.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\m87.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-2-0x0000000000000000-mapping.dmp
-
memory/1892-3-0x00000000004D0000-0x0000000000507000-memory.dmpFilesize
220KB
-
memory/1892-5-0x0000000000510000-0x0000000000553000-memory.dmpFilesize
268KB
-
memory/2144-4-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/2144-6-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB