Analysis
-
max time kernel
75s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en -
submitted
13-09-2021 22:17
Static task
static1
Behavioral task
behavioral1
Sample
caDeEx.jpg.dll
Resource
win7-en
General
-
Target
caDeEx.jpg.dll
-
Size
564KB
-
MD5
d342499ba2e3adab152c4c7ed9ead426
-
SHA1
0b4d212ac06d26e3fbb7365322d4cb7c5487444b
-
SHA256
074b3d896e53fc8335cdea4b0f565e01b99ee9041c01d9c17a23f67409b138c1
-
SHA512
0ef2cde0d828559d8134a136a1e85797d99c95343dd9f3ec329defeba86a5adb99445448fc9c5346f5c2ec6a251d676618ac96e0cdf76317e2e6f1746dbda6b5
Malware Config
Extracted
trickbot
2000033
zev4
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4012 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4044 wrote to memory of 3120 4044 regsvr32.exe regsvr32.exe PID 4044 wrote to memory of 3120 4044 regsvr32.exe regsvr32.exe PID 4044 wrote to memory of 3120 4044 regsvr32.exe regsvr32.exe PID 3120 wrote to memory of 4012 3120 regsvr32.exe wermgr.exe PID 3120 wrote to memory of 4012 3120 regsvr32.exe wermgr.exe PID 3120 wrote to memory of 4012 3120 regsvr32.exe wermgr.exe PID 3120 wrote to memory of 4012 3120 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3120-115-0x0000000000000000-mapping.dmp
-
memory/3120-116-0x0000000004BF0000-0x0000000004C2B000-memory.dmpFilesize
236KB
-
memory/3120-119-0x0000000004C30000-0x0000000004C69000-memory.dmpFilesize
228KB
-
memory/3120-121-0x0000000004C70000-0x0000000004CA8000-memory.dmpFilesize
224KB
-
memory/3120-123-0x0000000004A40000-0x0000000004C4E000-memory.dmpFilesize
2.1MB
-
memory/3120-125-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/3120-124-0x0000000004CB0000-0x0000000004CF5000-memory.dmpFilesize
276KB
-
memory/3120-126-0x0000000004A40000-0x0000000004C4E000-memory.dmpFilesize
2.1MB
-
memory/4012-127-0x0000000000000000-mapping.dmp
-
memory/4012-128-0x0000025F051B0000-0x0000025F051D9000-memory.dmpFilesize
164KB
-
memory/4012-129-0x0000025F052D0000-0x0000025F052D1000-memory.dmpFilesize
4KB