Resubmissions
21-10-2021 10:35
211021-mmmglaback 1020-10-2021 19:12
211020-xwr4jshed7 1020-10-2021 17:12
211020-vqvldaacdj 10Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 17:12
Static task
static1
Behavioral task
behavioral1
Sample
Documents.tmp.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents.tmp.dll
Resource
win10-en-20210920
General
-
Target
Documents.tmp.dll
-
Size
1.7MB
-
MD5
133f935f9bc1c919af18db30f9db657d
-
SHA1
afb6253e491e109ebe2445ab4935f37120420b5c
-
SHA256
0648bdad8a597280f65f4db2448ba1524d6508841933156f4dfef9d1fe2e5075
-
SHA512
5d0c5f6ca0b28253a3537c11cfc7f5a72e417c4b4607a148dfa770c307466e81058f56b7ad67cb32761442cda0d720ea23281b41b4979f545ceff5041327cd04
Malware Config
Extracted
trickbot
100019
leg1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ident.me 9 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2040 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1308 1148 regsvr32.exe regsvr32.exe PID 1308 wrote to memory of 1604 1308 regsvr32.exe cmd.exe PID 1308 wrote to memory of 1604 1308 regsvr32.exe cmd.exe PID 1308 wrote to memory of 1604 1308 regsvr32.exe cmd.exe PID 1308 wrote to memory of 1604 1308 regsvr32.exe cmd.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe PID 1308 wrote to memory of 2040 1308 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Documents.tmp.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Documents.tmp.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB
-
memory/1308-55-0x0000000000000000-mapping.dmp
-
memory/1308-56-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1308-57-0x00000000009C0000-0x0000000000A40000-memory.dmpFilesize
512KB
-
memory/1308-59-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/1308-58-0x0000000000380000-0x00000000003C5000-memory.dmpFilesize
276KB
-
memory/1308-60-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2040-61-0x0000000000000000-mapping.dmp
-
memory/2040-62-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/2040-63-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB