Analysis
-
max time kernel
71s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 08:09
Static task
static1
Behavioral task
behavioral1
Sample
ee6d7f80f549e9700b0e2d9b7e88aa53.dll
Resource
win7v20201028
General
-
Target
ee6d7f80f549e9700b0e2d9b7e88aa53.dll
-
Size
434KB
-
MD5
ee6d7f80f549e9700b0e2d9b7e88aa53
-
SHA1
0d58596ec23e23bfeb1ebd95fcaf89e9b2afe08f
-
SHA256
54f6fe3e63891e2c0b925cf17385c6df56d824cee163111e93fef76c6476a535
-
SHA512
598cd2ddd63bc565167dbfaa739f73f6f2061e9106eb78c3740a8b2d8cd4ead7fff023af55493a35a8b87043e6bad6ad243eda18a86a63afb7dec466a05e7c83
Malware Config
Extracted
trickbot
2000028
rob45
89.250.208.42:449
182.253.184.130:449
31.211.85.110:443
85.112.74.178:449
102.68.17.97:443
103.76.150.14:443
96.9.77.142:443
91.185.236.170:449
87.76.1.81:449
91.225.231.120:443
62.213.14.166:443
81.95.45.234:449
148.216.32.55:443
109.185.139.90:449
202.166.211.197:443
196.41.57.46:449
84.21.206.164:449
190.122.168.219:443
77.95.93.132:449
41.77.134.250:443
87.116.151.237:449
185.205.250.162:443
103.9.188.23:449
78.138.187.231:443
138.185.72.142:443
173.81.4.147:443
31.134.124.90:443
200.90.11.177:449
5.59.205.32:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ident.me 23 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4208 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4636 wrote to memory of 4656 4636 rundll32.exe rundll32.exe PID 4636 wrote to memory of 4656 4636 rundll32.exe rundll32.exe PID 4636 wrote to memory of 4656 4636 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4208 4656 rundll32.exe wermgr.exe PID 4656 wrote to memory of 4208 4656 rundll32.exe wermgr.exe PID 4656 wrote to memory of 4208 4656 rundll32.exe wermgr.exe PID 4656 wrote to memory of 4208 4656 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee6d7f80f549e9700b0e2d9b7e88aa53.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee6d7f80f549e9700b0e2d9b7e88aa53.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4208-115-0x0000000000000000-mapping.dmp
-
memory/4208-119-0x0000028700A10000-0x0000028700A38000-memory.dmpFilesize
160KB
-
memory/4208-120-0x0000028700B20000-0x0000028700B21000-memory.dmpFilesize
4KB
-
memory/4656-114-0x0000000000000000-mapping.dmp
-
memory/4656-117-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/4656-116-0x00000000030F0000-0x0000000003124000-memory.dmpFilesize
208KB
-
memory/4656-118-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB