Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 15:16
Static task
static1
Behavioral task
behavioral1
Sample
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll
Resource
win7v20210408
General
-
Target
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll
-
Size
424KB
-
MD5
ae5a227472b36642f4325c2fd4f884f5
-
SHA1
7efc236d4804073a99337a7833b9536c358c49bc
-
SHA256
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0
-
SHA512
dbb2f38f14785e8e27d5e7e313bf8f8a9812f8cb2bf0aeed3a3fd8f76f246aa8f8a5c4a17c4fb7c48f97dddcd883b9b3a31ee96b6b18bb310db3fb6cab5f3d2a
Malware Config
Extracted
trickbot
2000034
zem1
103.36.126.221:443
84.236.171.231:443
14.102.72.204:443
176.100.4.31:443
165.73.90.187:443
103.23.237.6:443
122.117.90.133:443
103.61.100.252:443
36.95.110.19:443
103.65.193.144:443
117.220.229.162:443
103.113.105.126:443
14.102.46.9:443
139.255.199.196:443
157.119.215.186:443
151.106.48.226:443
36.91.36.29:443
117.196.235.194:443
14.102.188.227:443
103.75.32.38:443
45.116.106.45:443
103.94.0.178:443
117.204.253.199:443
117.212.195.251:443
14.102.15.100:443
203.115.106.98:443
117.252.69.134:443
103.127.67.38:443
117.212.192.15:443
103.61.100.117:443
103.122.108.44:443
103.47.170.149:443
36.37.99.242:443
103.93.176.237:443
103.61.100.10:443
14.102.15.101:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 myexternalip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3144 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3980 wrote to memory of 3888 3980 regsvr32.exe regsvr32.exe PID 3980 wrote to memory of 3888 3980 regsvr32.exe regsvr32.exe PID 3980 wrote to memory of 3888 3980 regsvr32.exe regsvr32.exe PID 3888 wrote to memory of 3144 3888 regsvr32.exe wermgr.exe PID 3888 wrote to memory of 3144 3888 regsvr32.exe wermgr.exe PID 3888 wrote to memory of 3144 3888 regsvr32.exe wermgr.exe PID 3888 wrote to memory of 3144 3888 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3144-127-0x0000000000000000-mapping.dmp
-
memory/3144-128-0x000002AC06990000-0x000002AC069B9000-memory.dmpFilesize
164KB
-
memory/3144-129-0x000002AC06BA0000-0x000002AC06BA1000-memory.dmpFilesize
4KB
-
memory/3888-115-0x0000000000000000-mapping.dmp
-
memory/3888-116-0x0000000004CC0000-0x0000000004CFB000-memory.dmpFilesize
236KB
-
memory/3888-119-0x0000000004D00000-0x0000000004D39000-memory.dmpFilesize
228KB
-
memory/3888-121-0x0000000004D40000-0x0000000004D78000-memory.dmpFilesize
224KB
-
memory/3888-123-0x0000000004A10000-0x0000000004C1E000-memory.dmpFilesize
2.1MB
-
memory/3888-125-0x0000000004A10000-0x0000000004C1E000-memory.dmpFilesize
2.1MB
-
memory/3888-124-0x0000000004D80000-0x0000000004DC5000-memory.dmpFilesize
276KB
-
memory/3888-126-0x0000000003201000-0x0000000003203000-memory.dmpFilesize
8KB