Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 21:31
Static task
static1
General
-
Target
7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll
-
Size
706KB
-
MD5
1d540a666e26e0559264138d220ef906
-
SHA1
3f614a8df1fa107e9cfd9787c42bbe06186af7c1
-
SHA256
7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a
-
SHA512
97afc6d26759be86f16507a097dae016fc49a33515d8069cff5f25e3a2ab44617bf7a4867d6f4ede9010258625bc07fd27fdd0c7a4ca09b4cb49d0dfb69e0e5c
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ipinfo.io -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3180 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2848 wrote to memory of 3068 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 3068 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 3068 2848 rundll32.exe rundll32.exe PID 3068 wrote to memory of 1552 3068 rundll32.exe cmd.exe PID 3068 wrote to memory of 1552 3068 rundll32.exe cmd.exe PID 3068 wrote to memory of 1552 3068 rundll32.exe cmd.exe PID 3068 wrote to memory of 3180 3068 rundll32.exe wermgr.exe PID 3068 wrote to memory of 3180 3068 rundll32.exe wermgr.exe PID 3068 wrote to memory of 3180 3068 rundll32.exe wermgr.exe PID 3068 wrote to memory of 3180 3068 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3068-115-0x0000000000000000-mapping.dmp
-
memory/3068-116-0x0000000004A20000-0x0000000004C88000-memory.dmpFilesize
2.4MB
-
memory/3068-117-0x0000000004D90000-0x0000000004DD5000-memory.dmpFilesize
276KB
-
memory/3068-118-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/3068-119-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/3180-120-0x0000000000000000-mapping.dmp
-
memory/3180-122-0x000002356FCD0000-0x000002356FCD1000-memory.dmpFilesize
4KB
-
memory/3180-121-0x000002356FAB0000-0x000002356FAD9000-memory.dmpFilesize
164KB
-
memory/3180-124-0x000002356FD00000-0x000002356FD02000-memory.dmpFilesize
8KB
-
memory/3180-123-0x000002356FD00000-0x000002356FD02000-memory.dmpFilesize
8KB