Analysis
-
max time kernel
134s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Documents.tmp.dll
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Documents.tmp.dll
Resource
win10-en-20211014
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
0c87cf536140349af097d10fd388e8d8
-
SHA1
a8e880685cf6cce8c3d254de7420649fa4e881b8
-
SHA256
d43f97b1e8bc5537b0820c22abaab7fee4747767464cdfbef6758b678c998331
-
SHA512
63589bfde2c1211553ddd64f4c77c6f3a06a2576edd25aad67936f77735d35152f025c029aeefb2427d12e1eaa565794774f49da131fee7f68829002373b1a2e
Malware Config
Extracted
trickbot
100019
leg1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4240 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4268 wermgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.execmd.exerundll32.exerundll32.exedescription pid process target process PID 3596 wrote to memory of 3936 3596 cmd.exe cmd.exe PID 3596 wrote to memory of 3936 3596 cmd.exe cmd.exe PID 3936 wrote to memory of 4016 3936 cmd.exe xcopy.exe PID 3936 wrote to memory of 4016 3936 cmd.exe xcopy.exe PID 3936 wrote to memory of 4352 3936 cmd.exe rundll32.exe PID 3936 wrote to memory of 4352 3936 cmd.exe rundll32.exe PID 4352 wrote to memory of 4240 4352 rundll32.exe rundll32.exe PID 4352 wrote to memory of 4240 4352 rundll32.exe rundll32.exe PID 4352 wrote to memory of 4240 4352 rundll32.exe rundll32.exe PID 4240 wrote to memory of 4256 4240 rundll32.exe cmd.exe PID 4240 wrote to memory of 4256 4240 rundll32.exe cmd.exe PID 4240 wrote to memory of 4256 4240 rundll32.exe cmd.exe PID 4240 wrote to memory of 4268 4240 rundll32.exe wermgr.exe PID 4240 wrote to memory of 4268 4240 rundll32.exe wermgr.exe PID 4240 wrote to memory of 4268 4240 rundll32.exe wermgr.exe PID 4240 wrote to memory of 4268 4240 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C xcopy /H /y Documents.tmp c:\programdata && start rundll32.exe c:\programdata\Documents.tmp,DllRegisterServer && del Documents.lnk && del Documents.tmp && mkdir Documents && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /H /y Documents.tmp c:\programdata3⤵
-
C:\Windows\system32\rundll32.exerundll32.exe c:\programdata\Documents.tmp,DllRegisterServer3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\programdata\Documents.tmp,DllRegisterServer4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\Documents.tmpMD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7
SHA1ddaed871b9f95a758b89c856a6d4ccf7751b8103
SHA2567a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7
SHA51246559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13
-
\ProgramData\Documents.tmpMD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7
SHA1ddaed871b9f95a758b89c856a6d4ccf7751b8103
SHA2567a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7
SHA51246559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13
-
memory/3936-115-0x0000000000000000-mapping.dmp
-
memory/4016-116-0x0000000000000000-mapping.dmp
-
memory/4240-121-0x00000000047D0000-0x0000000004A38000-memory.dmpFilesize
2.4MB
-
memory/4240-119-0x0000000000000000-mapping.dmp
-
memory/4240-122-0x0000000004B50000-0x0000000004B95000-memory.dmpFilesize
276KB
-
memory/4240-123-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4240-124-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/4268-125-0x0000000000000000-mapping.dmp
-
memory/4268-126-0x00000260C7EC0000-0x00000260C7EE9000-memory.dmpFilesize
164KB
-
memory/4268-127-0x00000260C80D0000-0x00000260C80D1000-memory.dmpFilesize
4KB
-
memory/4268-129-0x00000260C82A0000-0x00000260C82A2000-memory.dmpFilesize
8KB
-
memory/4268-128-0x00000260C82A0000-0x00000260C82A2000-memory.dmpFilesize
8KB
-
memory/4352-117-0x0000000000000000-mapping.dmp