Resubmissions
14-10-2021 20:59
211014-zsx7haace7 1014-10-2021 20:35
211014-zc33taacc7 1014-10-2021 19:28
211014-x63b9sbaan 1014-10-2021 18:08
211014-wqwdcaahbn 10Analysis
-
max time kernel
1168s -
max time network
1214s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 20:59
Static task
static1
Behavioral task
behavioral1
Sample
redplane.png.dll
Resource
win7-en-20211014
General
-
Target
redplane.png.dll
-
Size
688KB
-
MD5
cbf9d8f27702f1845413a9be784cd616
-
SHA1
cca1d33437022eae2c55f01774372b805043130b
-
SHA256
14da4c490e00343fde9db5a283c5b2f36d9699e5b5ef6df7f40ff51f97cbe8fe
-
SHA512
16511ed8698d62914189b5315145f1b1903b242336090d4673bf206b08733e544909bb4597a7406b1f77349aab27a62690638131ea7a1df2d735f028d1f8d7c3
Malware Config
Extracted
trickbot
100019
sof1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3912 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4068 wrote to memory of 3600 4068 rundll32.exe rundll32.exe PID 4068 wrote to memory of 3600 4068 rundll32.exe rundll32.exe PID 4068 wrote to memory of 3600 4068 rundll32.exe rundll32.exe PID 3600 wrote to memory of 3928 3600 rundll32.exe cmd.exe PID 3600 wrote to memory of 3928 3600 rundll32.exe cmd.exe PID 3600 wrote to memory of 3928 3600 rundll32.exe cmd.exe PID 3600 wrote to memory of 3912 3600 rundll32.exe wermgr.exe PID 3600 wrote to memory of 3912 3600 rundll32.exe wermgr.exe PID 3600 wrote to memory of 3912 3600 rundll32.exe wermgr.exe PID 3600 wrote to memory of 3912 3600 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\redplane.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\redplane.png.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3600-115-0x0000000000000000-mapping.dmp
-
memory/3600-116-0x00000000007B0000-0x00000000007EB000-memory.dmpFilesize
236KB
-
memory/3600-120-0x0000000000843000-0x0000000000844000-memory.dmpFilesize
4KB
-
memory/3600-119-0x0000000000841000-0x0000000000843000-memory.dmpFilesize
8KB
-
memory/3600-122-0x00000000008B5000-0x00000000008B6000-memory.dmpFilesize
4KB
-
memory/3600-121-0x0000000000881000-0x00000000008B5000-memory.dmpFilesize
208KB
-
memory/3600-124-0x0000000004240000-0x00000000042CE000-memory.dmpFilesize
568KB
-
memory/3600-123-0x0000000004240000-0x00000000042CE000-memory.dmpFilesize
568KB
-
memory/3600-125-0x0000000002BE0000-0x0000000002BE1000-memory.dmpFilesize
4KB
-
memory/3600-126-0x0000000002AB1000-0x0000000002AB3000-memory.dmpFilesize
8KB
-
memory/3912-127-0x0000000000000000-mapping.dmp
-
memory/3912-128-0x0000018570FB0000-0x0000018570FD9000-memory.dmpFilesize
164KB
-
memory/3912-129-0x00000185711C0000-0x00000185711C1000-memory.dmpFilesize
4KB
-
memory/3912-131-0x00000185711F0000-0x00000185711F2000-memory.dmpFilesize
8KB
-
memory/3912-130-0x00000185711F0000-0x00000185711F2000-memory.dmpFilesize
8KB