Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 16:04
Static task
static1
General
-
Target
24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll
-
Size
341KB
-
MD5
f68156851a38691b7ae9483089f2feb9
-
SHA1
46b077e0f2634dacadde2078e933e02a3136179d
-
SHA256
24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28
-
SHA512
3844b8071b5fd98f169e48baaaabc1c49f8b788884cd6e400be71eabf3c9f44bf40a0b8deb0bbca10af47a3b3a197845dd5a48c651aa8e4b70ee9aadb61fa802
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4308 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3824 wrote to memory of 3832 3824 rundll32.exe rundll32.exe PID 3824 wrote to memory of 3832 3824 rundll32.exe rundll32.exe PID 3824 wrote to memory of 3832 3824 rundll32.exe rundll32.exe PID 3832 wrote to memory of 4320 3832 rundll32.exe cmd.exe PID 3832 wrote to memory of 4320 3832 rundll32.exe cmd.exe PID 3832 wrote to memory of 4320 3832 rundll32.exe cmd.exe PID 3832 wrote to memory of 4308 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 4308 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 4308 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 4308 3832 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3832-118-0x0000000000000000-mapping.dmp
-
memory/3832-120-0x0000000004110000-0x0000000004111000-memory.dmpFilesize
4KB
-
memory/3832-119-0x00000000027B0000-0x00000000027F2000-memory.dmpFilesize
264KB
-
memory/3832-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/4308-122-0x0000000000000000-mapping.dmp
-
memory/4308-124-0x0000024495120000-0x0000024495121000-memory.dmpFilesize
4KB
-
memory/4308-123-0x00000244950E0000-0x0000024495108000-memory.dmpFilesize
160KB
-
memory/4308-126-0x0000024495150000-0x0000024495152000-memory.dmpFilesize
8KB
-
memory/4308-125-0x0000024495150000-0x0000024495152000-memory.dmpFilesize
8KB