Resubmissions
23-09-2021 14:52
210923-r89apsega9 1016-09-2021 02:31
210916-cz3z1abhc4 116-09-2021 02:30
210916-czcstabhb9 116-09-2021 02:27
210916-cxvwlsbhb6 10Analysis
-
max time kernel
54s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-09-2021 14:52
Static task
static1
Behavioral task
behavioral1
Sample
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll
Resource
win7v20210408
General
-
Target
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll
-
Size
424KB
-
MD5
ae5a227472b36642f4325c2fd4f884f5
-
SHA1
7efc236d4804073a99337a7833b9536c358c49bc
-
SHA256
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0
-
SHA512
dbb2f38f14785e8e27d5e7e313bf8f8a9812f8cb2bf0aeed3a3fd8f76f246aa8f8a5c4a17c4fb7c48f97dddcd883b9b3a31ee96b6b18bb310db3fb6cab5f3d2a
Malware Config
Extracted
trickbot
2000034
zem1
103.36.126.221:443
84.236.171.231:443
14.102.72.204:443
176.100.4.31:443
165.73.90.187:443
103.23.237.6:443
122.117.90.133:443
103.61.100.252:443
36.95.110.19:443
103.65.193.144:443
117.220.229.162:443
103.113.105.126:443
14.102.46.9:443
139.255.199.196:443
157.119.215.186:443
151.106.48.226:443
36.91.36.29:443
117.196.235.194:443
14.102.188.227:443
103.75.32.38:443
45.116.106.45:443
103.94.0.178:443
117.204.253.199:443
117.212.195.251:443
14.102.15.100:443
203.115.106.98:443
117.252.69.134:443
103.127.67.38:443
117.212.192.15:443
103.61.100.117:443
103.122.108.44:443
103.47.170.149:443
36.37.99.242:443
103.93.176.237:443
103.61.100.10:443
14.102.15.101:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 myexternalip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2024 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1936 1944 regsvr32.exe regsvr32.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe PID 1936 wrote to memory of 2024 1936 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1936-70-0x0000000000280000-0x00000000002B9000-memory.dmpFilesize
228KB
-
memory/1936-61-0x0000000000000000-mapping.dmp
-
memory/1936-62-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1936-63-0x00000000002C0000-0x00000000002FB000-memory.dmpFilesize
236KB
-
memory/1936-66-0x0000000000360000-0x0000000000399000-memory.dmpFilesize
228KB
-
memory/1936-68-0x0000000000870000-0x00000000008A8000-memory.dmpFilesize
224KB
-
memory/1936-72-0x0000000000330000-0x0000000000341000-memory.dmpFilesize
68KB
-
memory/1936-71-0x0000000002000000-0x0000000002045000-memory.dmpFilesize
276KB
-
memory/1936-73-0x0000000000301000-0x0000000000303000-memory.dmpFilesize
8KB
-
memory/1944-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/2024-74-0x0000000000000000-mapping.dmp
-
memory/2024-75-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/2024-76-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB