Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 16:03
Static task
static1
General
-
Target
0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll
-
Size
355KB
-
MD5
26cad7271c1e1c55f828bdac604d077b
-
SHA1
8bb409c7bd6e45761267a030c5fc332958177a15
-
SHA256
0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87
-
SHA512
aef5493e725e4c3cf719a23465ebc39aa5cb07d81df7ac2294f7f5eac5737557e547150e93b2afa15935781865b29817d1f73ef3a037c46e65b7a6e4a6aec7ae
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1776 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3804 wrote to memory of 3100 3804 rundll32.exe rundll32.exe PID 3804 wrote to memory of 3100 3804 rundll32.exe rundll32.exe PID 3804 wrote to memory of 3100 3804 rundll32.exe rundll32.exe PID 3100 wrote to memory of 1680 3100 rundll32.exe cmd.exe PID 3100 wrote to memory of 1680 3100 rundll32.exe cmd.exe PID 3100 wrote to memory of 1680 3100 rundll32.exe cmd.exe PID 3100 wrote to memory of 1776 3100 rundll32.exe wermgr.exe PID 3100 wrote to memory of 1776 3100 rundll32.exe wermgr.exe PID 3100 wrote to memory of 1776 3100 rundll32.exe wermgr.exe PID 3100 wrote to memory of 1776 3100 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-119-0x0000000000000000-mapping.dmp
-
memory/1776-121-0x000001DF39950000-0x000001DF39951000-memory.dmpFilesize
4KB
-
memory/1776-120-0x000001DF39840000-0x000001DF39868000-memory.dmpFilesize
160KB
-
memory/1776-123-0x000001DF39980000-0x000001DF39982000-memory.dmpFilesize
8KB
-
memory/1776-122-0x000001DF39980000-0x000001DF39982000-memory.dmpFilesize
8KB
-
memory/3100-115-0x0000000000000000-mapping.dmp
-
memory/3100-117-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/3100-116-0x0000000004650000-0x0000000004696000-memory.dmpFilesize
280KB
-
memory/3100-118-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB