21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f

General
Target

21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll

Filesize

706KB

Completed

21-10-2021 21:32

Score
10/10
MD5

43631f2757ede0112fc8fe30deea8acc

SHA1

c82bf7a08287158d9a6a22467eadd7e9cbe242c2

SHA256

21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f

Malware Config

Extracted

Family trickbot
Version 100019
Botnet rob136
C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes
autorun
Name:pwgrabb
Name:pwgrabc
ecc_pubkey.base64
Signatures 3

Filter: none

  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Suspicious use of AdjustPrivilegeToken
    wermgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2416wermgr.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3500 wrote to memory of 31323500rundll32.exerundll32.exe
    PID 3500 wrote to memory of 31323500rundll32.exerundll32.exe
    PID 3500 wrote to memory of 31323500rundll32.exerundll32.exe
    PID 3132 wrote to memory of 22123132rundll32.execmd.exe
    PID 3132 wrote to memory of 22123132rundll32.execmd.exe
    PID 3132 wrote to memory of 22123132rundll32.execmd.exe
    PID 3132 wrote to memory of 24163132rundll32.exewermgr.exe
    PID 3132 wrote to memory of 24163132rundll32.exewermgr.exe
    PID 3132 wrote to memory of 24163132rundll32.exewermgr.exe
    PID 3132 wrote to memory of 24163132rundll32.exewermgr.exe
Processes 4
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#1
    Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#1
      Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        PID:2212
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        Suspicious use of AdjustPrivilegeToken
        PID:2416
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/2416-122-0x0000025AE7F60000-0x0000025AE7F61000-memory.dmp

                          • memory/2416-121-0x0000025AE7E50000-0x0000025AE7E79000-memory.dmp

                          • memory/2416-124-0x0000025AE8090000-0x0000025AE8092000-memory.dmp

                          • memory/2416-123-0x0000025AE8090000-0x0000025AE8092000-memory.dmp

                          • memory/2416-120-0x0000000000000000-mapping.dmp

                          • memory/3132-118-0x0000000000A00000-0x0000000000A01000-memory.dmp

                          • memory/3132-115-0x0000000000000000-mapping.dmp

                          • memory/3132-116-0x0000000000DF0000-0x0000000001058000-memory.dmp

                          • memory/3132-117-0x0000000000980000-0x00000000009C5000-memory.dmp

                          • memory/3132-119-0x0000000010001000-0x0000000010003000-memory.dmp