Analysis
-
max time kernel
14s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 13:58
Behavioral task
behavioral1
Sample
TrickBot_may_4_2021_04C10000.bin.dll
Resource
win7v20210410
General
-
Target
TrickBot_may_4_2021_04C10000.bin.dll
-
Size
204KB
-
MD5
8989fb6ccf22d21d5aea6a28075acd98
-
SHA1
f5b06d3784e6b03762efdbfd99ff81651314174a
-
SHA256
4ac8dd3d3be4961e16042fee5ea25764cbeb8acacb121fa62d1101df4006d9e7
-
SHA512
75c6152a4226fc88d31a6e8454c1f02ff0023e08dc59bf7751d9c033829ca1df505eb13a6f893f636201d41ac1b0dac3a63a5e11ba3854a1e4bc979e86fd94a0
Malware Config
Extracted
trickbot
2000029
net9
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3132 1876 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3132 WerFault.exe Token: SeBackupPrivilege 3132 WerFault.exe Token: SeDebugPrivilege 3132 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 620 wrote to memory of 1876 620 regsvr32.exe regsvr32.exe PID 620 wrote to memory of 1876 620 regsvr32.exe regsvr32.exe PID 620 wrote to memory of 1876 620 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\TrickBot_may_4_2021_04C10000.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\TrickBot_may_4_2021_04C10000.bin.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken