Resubmissions
21-10-2021 10:35
211021-mmmglaback 1020-10-2021 19:12
211020-xwr4jshed7 1020-10-2021 17:12
211020-vqvldaacdj 10Analysis
-
max time kernel
1200s -
max time network
1202s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 10:35
Static task
static1
Behavioral task
behavioral1
Sample
Documents.tmp.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Documents.tmp.dll
Resource
win10-en-20211014
General
-
Target
Documents.tmp.dll
-
Size
1.7MB
-
MD5
133f935f9bc1c919af18db30f9db657d
-
SHA1
afb6253e491e109ebe2445ab4935f37120420b5c
-
SHA256
0648bdad8a597280f65f4db2448ba1524d6508841933156f4dfef9d1fe2e5075
-
SHA512
5d0c5f6ca0b28253a3537c11cfc7f5a72e417c4b4607a148dfa770c307466e81058f56b7ad67cb32761442cda0d720ea23281b41b4979f545ceff5041327cd04
Malware Config
Extracted
trickbot
100019
leg1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
suricata: ET MALWARE TrickBot Related Activity (GET)
suricata: ET MALWARE TrickBot Related Activity (GET)
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 240 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 468 1612 regsvr32.exe regsvr32.exe PID 468 wrote to memory of 1192 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 1192 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 1192 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 1192 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe PID 468 wrote to memory of 240 468 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Documents.tmp.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Documents.tmp.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-61-0x0000000000000000-mapping.dmp
-
memory/240-62-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/240-63-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/468-55-0x0000000000000000-mapping.dmp
-
memory/468-56-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/468-57-0x0000000001FA0000-0x0000000002208000-memory.dmpFilesize
2.4MB
-
memory/468-58-0x00000000001F0000-0x0000000000270000-memory.dmpFilesize
512KB
-
memory/468-59-0x00000000001C0000-0x00000000001D1000-memory.dmpFilesize
68KB
-
memory/468-60-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1612-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB