Analysis
-
max time kernel
171s -
max time network
189s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 21:26
Static task
static1
General
-
Target
5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll
-
Size
706KB
-
MD5
6130d265357ce71154ba46051203c96a
-
SHA1
4446b675dad569c38126bc170a6dcac18d740500
-
SHA256
5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603
-
SHA512
d00657e8cc18c0ed528d461842037067d410c34c61422fb8d1a3c15842dcd8f8edc233c738f5df797a9e590d30bab0b543bea26b8e3ab8cf83df3f1c961869f8
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 920 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2336 wrote to memory of 3060 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 3060 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 3060 2336 rundll32.exe rundll32.exe PID 3060 wrote to memory of 916 3060 rundll32.exe cmd.exe PID 3060 wrote to memory of 916 3060 rundll32.exe cmd.exe PID 3060 wrote to memory of 916 3060 rundll32.exe cmd.exe PID 3060 wrote to memory of 920 3060 rundll32.exe wermgr.exe PID 3060 wrote to memory of 920 3060 rundll32.exe wermgr.exe PID 3060 wrote to memory of 920 3060 rundll32.exe wermgr.exe PID 3060 wrote to memory of 920 3060 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-120-0x0000000000000000-mapping.dmp
-
memory/920-121-0x00000270690C0000-0x00000270690E9000-memory.dmpFilesize
164KB
-
memory/920-122-0x0000027069100000-0x0000027069101000-memory.dmpFilesize
4KB
-
memory/920-123-0x0000027069300000-0x0000027069302000-memory.dmpFilesize
8KB
-
memory/920-124-0x0000027069300000-0x0000027069302000-memory.dmpFilesize
8KB
-
memory/3060-115-0x0000000000000000-mapping.dmp
-
memory/3060-116-0x00000000043F0000-0x0000000004658000-memory.dmpFilesize
2.4MB
-
memory/3060-117-0x0000000000B50000-0x0000000000B95000-memory.dmpFilesize
276KB
-
memory/3060-118-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/3060-119-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB