Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 15:59
Static task
static1
General
-
Target
6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll
-
Size
341KB
-
MD5
6c3c580a94b9bacee6d35d0c97fb6a1a
-
SHA1
06d4c6b54b90aec9ec055814b17c1821767c20df
-
SHA256
6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079
-
SHA512
f2189e3d5c490868d25f3c9420063ef46c50a4c1205856d561a249a7964131d547f6549ccd3ea45440dfccbafef7238370440ddec998a9fc83d1d43ad89915cb
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 api.ipify.org 57 icanhazip.com 32 ipecho.net 41 ipinfo.io -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2860 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2704 wrote to memory of 2744 2704 rundll32.exe rundll32.exe PID 2704 wrote to memory of 2744 2704 rundll32.exe rundll32.exe PID 2704 wrote to memory of 2744 2704 rundll32.exe rundll32.exe PID 2744 wrote to memory of 3052 2744 rundll32.exe cmd.exe PID 2744 wrote to memory of 3052 2744 rundll32.exe cmd.exe PID 2744 wrote to memory of 3052 2744 rundll32.exe cmd.exe PID 2744 wrote to memory of 2860 2744 rundll32.exe wermgr.exe PID 2744 wrote to memory of 2860 2744 rundll32.exe wermgr.exe PID 2744 wrote to memory of 2860 2744 rundll32.exe wermgr.exe PID 2744 wrote to memory of 2860 2744 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2744-115-0x0000000000000000-mapping.dmp
-
memory/2744-117-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/2744-116-0x0000000000C90000-0x0000000000CD2000-memory.dmpFilesize
264KB
-
memory/2744-118-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2860-119-0x0000000000000000-mapping.dmp
-
memory/2860-120-0x0000027036660000-0x0000027036688000-memory.dmpFilesize
160KB
-
memory/2860-121-0x0000027036780000-0x0000027036781000-memory.dmpFilesize
4KB
-
memory/2860-123-0x00000270367B0000-0x00000270367B2000-memory.dmpFilesize
8KB
-
memory/2860-122-0x00000270367B0000-0x00000270367B2000-memory.dmpFilesize
8KB