Analysis
-
max time kernel
139s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 21:29
Static task
static1
General
-
Target
21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll
-
Size
706KB
-
MD5
43631f2757ede0112fc8fe30deea8acc
-
SHA1
c82bf7a08287158d9a6a22467eadd7e9cbe242c2
-
SHA256
21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f
-
SHA512
f1e282632419a768efd807daf36f57a6b883747698da298caf48a2d48b2f2d0ed1f2bbd0c5b1633bba27af15e596ce0b2c0dcface72661500ca29fac4264c6ce
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2416 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3500 wrote to memory of 3132 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 3132 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 3132 3500 rundll32.exe rundll32.exe PID 3132 wrote to memory of 2212 3132 rundll32.exe cmd.exe PID 3132 wrote to memory of 2212 3132 rundll32.exe cmd.exe PID 3132 wrote to memory of 2212 3132 rundll32.exe cmd.exe PID 3132 wrote to memory of 2416 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 2416 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 2416 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 2416 3132 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2416-120-0x0000000000000000-mapping.dmp
-
memory/2416-122-0x0000025AE7F60000-0x0000025AE7F61000-memory.dmpFilesize
4KB
-
memory/2416-121-0x0000025AE7E50000-0x0000025AE7E79000-memory.dmpFilesize
164KB
-
memory/2416-124-0x0000025AE8090000-0x0000025AE8092000-memory.dmpFilesize
8KB
-
memory/2416-123-0x0000025AE8090000-0x0000025AE8092000-memory.dmpFilesize
8KB
-
memory/3132-115-0x0000000000000000-mapping.dmp
-
memory/3132-116-0x0000000000DF0000-0x0000000001058000-memory.dmpFilesize
2.4MB
-
memory/3132-117-0x0000000000980000-0x00000000009C5000-memory.dmpFilesize
276KB
-
memory/3132-119-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3132-118-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB