Analysis
-
max time kernel
149s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 14:29
Static task
static1
Behavioral task
behavioral1
Sample
subzero.png.dll
Resource
win7-en-20210920
General
-
Target
subzero.png.dll
-
Size
706KB
-
MD5
5e3e206b5ae47c192987c3c624f1f70e
-
SHA1
d60efdd497fc9f4f4d97a8cb467cf7e914e47016
-
SHA256
47ff441ab14e4ea5e8877fc22213e209070992be19dca2639e218b50f24cf9e9
-
SHA512
3ffbaf138fe468194d60ec5df30929d4b55f4532057dd209392c89f41765415770b253302f868b7925b0d623a3ea6bd897be079b1a12b20107337be4007e22ad
Malware Config
Extracted
trickbot
100019
rob136
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1520 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 760 1876 rundll32.exe rundll32.exe PID 760 wrote to memory of 1356 760 rundll32.exe cmd.exe PID 760 wrote to memory of 1356 760 rundll32.exe cmd.exe PID 760 wrote to memory of 1356 760 rundll32.exe cmd.exe PID 760 wrote to memory of 1356 760 rundll32.exe cmd.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe PID 760 wrote to memory of 1520 760 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\subzero.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\subzero.png.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-54-0x0000000000000000-mapping.dmp
-
memory/760-55-0x0000000074F81000-0x0000000074F83000-memory.dmpFilesize
8KB
-
memory/760-56-0x0000000001E90000-0x00000000020F8000-memory.dmpFilesize
2.4MB
-
memory/760-58-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/760-57-0x0000000000320000-0x0000000000365000-memory.dmpFilesize
276KB
-
memory/760-59-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1520-60-0x0000000000000000-mapping.dmp
-
memory/1520-61-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1520-62-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB