Analysis
-
max time kernel
124s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 12:57
Static task
static1
General
-
Target
6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll
-
Size
1.8MB
-
MD5
7a5d7f3b659224502ee69c4ab2a8f5c3
-
SHA1
18c807363fa2ac1508df8340f41ce278cf854e19
-
SHA256
6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223
-
SHA512
3495a11daf4c4dee651e0a891980f8e48a8d4c4d33049139e23e6b0e7ebb7bdc87fba805b8b6d7001fad1704282f483464bd2e5668fb036106706250392d6dba
Malware Config
Extracted
trickbot
100019
rob141
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2692 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2148 wrote to memory of 2332 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2332 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2332 2148 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2708 2332 rundll32.exe cmd.exe PID 2332 wrote to memory of 2708 2332 rundll32.exe cmd.exe PID 2332 wrote to memory of 2708 2332 rundll32.exe cmd.exe PID 2332 wrote to memory of 2692 2332 rundll32.exe wermgr.exe PID 2332 wrote to memory of 2692 2332 rundll32.exe wermgr.exe PID 2332 wrote to memory of 2692 2332 rundll32.exe wermgr.exe PID 2332 wrote to memory of 2692 2332 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2332-115-0x0000000000000000-mapping.dmp
-
memory/2332-117-0x0000000002FA0000-0x0000000002FE5000-memory.dmpFilesize
276KB
-
memory/2332-116-0x0000000004800000-0x0000000004A68000-memory.dmpFilesize
2.4MB
-
memory/2332-118-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/2332-119-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2692-120-0x0000000000000000-mapping.dmp
-
memory/2692-122-0x00000139D33C0000-0x00000139D33C1000-memory.dmpFilesize
4KB
-
memory/2692-121-0x00000139D3380000-0x00000139D33A8000-memory.dmpFilesize
160KB
-
memory/2692-124-0x00000139D3410000-0x00000139D3412000-memory.dmpFilesize
8KB
-
memory/2692-123-0x00000139D3410000-0x00000139D3412000-memory.dmpFilesize
8KB