Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 16:03
Static task
static1
General
-
Target
99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll
-
Size
337KB
-
MD5
99c343996f05b92b36dab44428d1532d
-
SHA1
a9cda06504fd6389b408a46b700dfd9f9c4eefcd
-
SHA256
99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0
-
SHA512
acbc7706b6c8f957765c2ef73771ff8c985f6a7a3085f3003abda1c08515d159617078a7926e5ae09021edafb4b60ff5253f9e9828ea5829bb0c915911b9a476
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 wtfismyip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1804 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2580 wrote to memory of 3048 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 3048 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 3048 2580 rundll32.exe rundll32.exe PID 3048 wrote to memory of 3828 3048 rundll32.exe cmd.exe PID 3048 wrote to memory of 3828 3048 rundll32.exe cmd.exe PID 3048 wrote to memory of 3828 3048 rundll32.exe cmd.exe PID 3048 wrote to memory of 1804 3048 rundll32.exe wermgr.exe PID 3048 wrote to memory of 1804 3048 rundll32.exe wermgr.exe PID 3048 wrote to memory of 1804 3048 rundll32.exe wermgr.exe PID 3048 wrote to memory of 1804 3048 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1804-122-0x0000000000000000-mapping.dmp
-
memory/1804-123-0x000002A19AD80000-0x000002A19ADA8000-memory.dmpFilesize
160KB
-
memory/1804-124-0x000002A19AE90000-0x000002A19AE91000-memory.dmpFilesize
4KB
-
memory/1804-126-0x000002A19AEC0000-0x000002A19AEC2000-memory.dmpFilesize
8KB
-
memory/1804-125-0x000002A19AEC0000-0x000002A19AEC2000-memory.dmpFilesize
8KB
-
memory/3048-118-0x0000000000000000-mapping.dmp
-
memory/3048-119-0x0000000004040000-0x0000000004081000-memory.dmpFilesize
260KB
-
memory/3048-120-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/3048-121-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB