Analysis
-
max time kernel
147s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 21:29
Static task
static1
General
-
Target
25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll
-
Size
706KB
-
MD5
d8cf7a3d7db26001b24685c3629eea77
-
SHA1
22b30009a5ec97ae5f028e2f5985e2f50ffce91c
-
SHA256
25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af
-
SHA512
23c074e4969bfb05a9eb65feb7994339aee346d84fb4b37fe2672cd0537ddb10b92a49509dfa27829d09094ca0f35cf34a7d08c669d53c806a7278260f67a3e2
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1040 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3464 wrote to memory of 656 3464 rundll32.exe rundll32.exe PID 3464 wrote to memory of 656 3464 rundll32.exe rundll32.exe PID 3464 wrote to memory of 656 3464 rundll32.exe rundll32.exe PID 656 wrote to memory of 440 656 rundll32.exe cmd.exe PID 656 wrote to memory of 440 656 rundll32.exe cmd.exe PID 656 wrote to memory of 440 656 rundll32.exe cmd.exe PID 656 wrote to memory of 1040 656 rundll32.exe wermgr.exe PID 656 wrote to memory of 1040 656 rundll32.exe wermgr.exe PID 656 wrote to memory of 1040 656 rundll32.exe wermgr.exe PID 656 wrote to memory of 1040 656 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-118-0x0000000000000000-mapping.dmp
-
memory/656-120-0x0000000001200000-0x0000000001245000-memory.dmpFilesize
276KB
-
memory/656-119-0x0000000000F10000-0x0000000000FBE000-memory.dmpFilesize
696KB
-
memory/656-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/656-122-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1040-123-0x0000000000000000-mapping.dmp
-
memory/1040-124-0x000001AD43550000-0x000001AD43579000-memory.dmpFilesize
164KB
-
memory/1040-125-0x000001AD43590000-0x000001AD43591000-memory.dmpFilesize
4KB
-
memory/1040-127-0x000001AD435C0000-0x000001AD435C2000-memory.dmpFilesize
8KB
-
memory/1040-126-0x000001AD435C0000-0x000001AD435C2000-memory.dmpFilesize
8KB