Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 16:03
Static task
static1
General
-
Target
c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll
-
Size
313KB
-
MD5
e1b20c989761bb53e37067fd4e5bce7a
-
SHA1
7fb7c25aa83e34c943733fa57d8c5ca12d098d88
-
SHA256
c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9
-
SHA512
3ab2e21f7128940f7293271011971b1e3a98db293a0f6aec2173b05e600ef8af41f380febb836a05b520e33e09e2a6315abcca37bbf3b89ec780c163e4b1550b
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2028 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2308 wrote to memory of 2776 2308 rundll32.exe rundll32.exe PID 2308 wrote to memory of 2776 2308 rundll32.exe rundll32.exe PID 2308 wrote to memory of 2776 2308 rundll32.exe rundll32.exe PID 2776 wrote to memory of 1648 2776 rundll32.exe cmd.exe PID 2776 wrote to memory of 1648 2776 rundll32.exe cmd.exe PID 2776 wrote to memory of 1648 2776 rundll32.exe cmd.exe PID 2776 wrote to memory of 2028 2776 rundll32.exe wermgr.exe PID 2776 wrote to memory of 2028 2776 rundll32.exe wermgr.exe PID 2776 wrote to memory of 2028 2776 rundll32.exe wermgr.exe PID 2776 wrote to memory of 2028 2776 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2028-119-0x0000000000000000-mapping.dmp
-
memory/2028-120-0x0000029DF1810000-0x0000029DF1838000-memory.dmpFilesize
160KB
-
memory/2028-121-0x0000029DF1920000-0x0000029DF1921000-memory.dmpFilesize
4KB
-
memory/2028-123-0x0000029DF1A50000-0x0000029DF1A52000-memory.dmpFilesize
8KB
-
memory/2028-122-0x0000029DF1A50000-0x0000029DF1A52000-memory.dmpFilesize
8KB
-
memory/2776-115-0x0000000000000000-mapping.dmp
-
memory/2776-116-0x0000000004820000-0x000000000485B000-memory.dmpFilesize
236KB
-
memory/2776-117-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/2776-118-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB