Analysis
-
max time kernel
1166s -
max time network
1178s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 21:50
Static task
static1
Behavioral task
behavioral1
Sample
clb.dll
Resource
win7-en-20210920
General
-
Target
clb.dll
-
Size
588KB
-
MD5
4f142d0fca158d333b98bd20ec2c70c8
-
SHA1
716cab4911102cd47ebc577d5712ade3f55e1729
-
SHA256
25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1
-
SHA512
50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
suricata: ET MALWARE TrickBot Related Activity (GET)
suricata: ET MALWARE TrickBot Related Activity (GET)
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1164 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 1696 wrote to memory of 868 1696 rundll32.exe rundll32.exe PID 868 wrote to memory of 1728 868 rundll32.exe cmd.exe PID 868 wrote to memory of 1728 868 rundll32.exe cmd.exe PID 868 wrote to memory of 1728 868 rundll32.exe cmd.exe PID 868 wrote to memory of 1728 868 rundll32.exe cmd.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe PID 868 wrote to memory of 1164 868 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-53-0x0000000000000000-mapping.dmp
-
memory/868-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/868-55-0x0000000000790000-0x00000000007C9000-memory.dmpFilesize
228KB
-
memory/868-56-0x0000000000830000-0x000000000086B000-memory.dmpFilesize
236KB
-
memory/868-60-0x0000000000873000-0x0000000000874000-memory.dmpFilesize
4KB
-
memory/868-59-0x0000000000871000-0x0000000000873000-memory.dmpFilesize
8KB
-
memory/868-61-0x00000000008B1000-0x00000000008E5000-memory.dmpFilesize
208KB
-
memory/868-62-0x00000000008E5000-0x00000000008E6000-memory.dmpFilesize
4KB
-
memory/868-64-0x0000000000910000-0x0000000000955000-memory.dmpFilesize
276KB
-
memory/868-63-0x0000000000790000-0x00000000007C9000-memory.dmpFilesize
228KB
-
memory/868-65-0x0000000000300000-0x0000000000311000-memory.dmpFilesize
68KB
-
memory/868-66-0x00000000001F1000-0x00000000001F3000-memory.dmpFilesize
8KB
-
memory/1164-67-0x0000000000000000-mapping.dmp
-
memory/1164-68-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1164-69-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB