Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-04-2021 16:30
Behavioral task
behavioral1
Sample
rundll32_03300000.dll
Resource
win7v20210408
General
-
Target
rundll32_03300000.dll
-
Size
208KB
-
MD5
4098b34beea650657077c34cccc64d23
-
SHA1
9d530cc1702acef7bfc366c81746b77fa0d47f71
-
SHA256
80afc885cde130c0fcc5e8b7e0a03130ca7922790ba82853c8ec1de8cb951f83
-
SHA512
0be883596c4cecc29304daffce9538f3c59b235bf4501aecb53a239c4251da210d0f05a3f537131af6993302903d9b48d741b4af773f80d4bfeeca9cc4580fd9
Malware Config
Extracted
trickbot
2000028
rob52
89.250.208.42:449
182.253.184.130:449
31.211.85.110:443
85.112.74.178:449
102.68.17.97:443
103.76.150.14:443
96.9.77.142:443
91.185.236.170:449
87.76.1.81:449
91.225.231.120:443
62.213.14.166:443
81.95.45.234:449
148.216.32.55:443
109.185.139.90:449
202.166.211.197:443
196.41.57.46:449
84.21.206.164:449
190.122.168.219:443
77.95.93.132:449
41.77.134.250:443
87.116.151.237:449
185.205.250.162:443
103.9.188.23:449
78.138.187.231:443
138.185.72.142:443
173.81.4.147:443
31.134.124.90:443
200.90.11.177:449
5.59.205.32:443
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.amazonaws.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1904 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1932 484 regsvr32.exe regsvr32.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe PID 1932 wrote to memory of 1904 1932 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1904-63-0x0000000000000000-mapping.dmp
-
memory/1904-68-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1904-67-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1932-61-0x0000000000000000-mapping.dmp
-
memory/1932-62-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/1932-65-0x0000000000250000-0x00000000002D0000-memory.dmpFilesize
512KB
-
memory/1932-64-0x00000000001C0000-0x0000000000203000-memory.dmpFilesize
268KB
-
memory/1932-66-0x0000000000250000-0x00000000002D0000-memory.dmpFilesize
512KB