Analysis
-
max time kernel
38s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-07-2021 12:37
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210410
General
-
Target
triage_dropped_file.dll
-
Size
594KB
-
MD5
346446b4a209814f7542e706a561ad89
-
SHA1
3e77832af77b84ded9c08212fc2bd9d7022f6c9c
-
SHA256
4f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7
-
SHA512
b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip.anysrc.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1784 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 568 wrote to memory of 2264 568 regsvr32.exe regsvr32.exe PID 568 wrote to memory of 2264 568 regsvr32.exe regsvr32.exe PID 568 wrote to memory of 2264 568 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1784 2264 regsvr32.exe wermgr.exe PID 2264 wrote to memory of 1784 2264 regsvr32.exe wermgr.exe PID 2264 wrote to memory of 1784 2264 regsvr32.exe wermgr.exe PID 2264 wrote to memory of 1784 2264 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1784-122-0x0000000000000000-mapping.dmp
-
memory/1784-123-0x000001CD3E570000-0x000001CD3E598000-memory.dmpFilesize
160KB
-
memory/1784-124-0x000001CD3E680000-0x000001CD3E681000-memory.dmpFilesize
4KB
-
memory/2264-114-0x0000000000000000-mapping.dmp
-
memory/2264-115-0x0000000004E00000-0x0000000004E37000-memory.dmpFilesize
220KB
-
memory/2264-119-0x0000000004E40000-0x0000000004E83000-memory.dmpFilesize
268KB
-
memory/2264-118-0x0000000004BE0000-0x0000000004DEE000-memory.dmpFilesize
2.1MB
-
memory/2264-120-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2264-121-0x0000000004EA1000-0x0000000004EA3000-memory.dmpFilesize
8KB