Analysis
-
max time kernel
123s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 16:03
Static task
static1
General
-
Target
90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll
-
Size
306KB
-
MD5
bab4f6e9a2c95dd98fb491435bd649ad
-
SHA1
20111c57175640ca5d4525b85a3de03580860971
-
SHA256
90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e
-
SHA512
4386c90fa5adbe81a9310ea7b6c6711ac47556939dde8e6362e5c138c202e2afc77b133472622d3725a03782fdc45dd78defc264e010872e8f7d9eaee7c7b7de
Malware Config
Extracted
trickbot
100021
rob144
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
- autorun
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 928 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2384 wrote to memory of 3004 2384 rundll32.exe rundll32.exe PID 2384 wrote to memory of 3004 2384 rundll32.exe rundll32.exe PID 2384 wrote to memory of 3004 2384 rundll32.exe rundll32.exe PID 3004 wrote to memory of 1336 3004 rundll32.exe cmd.exe PID 3004 wrote to memory of 1336 3004 rundll32.exe cmd.exe PID 3004 wrote to memory of 1336 3004 rundll32.exe cmd.exe PID 3004 wrote to memory of 928 3004 rundll32.exe wermgr.exe PID 3004 wrote to memory of 928 3004 rundll32.exe wermgr.exe PID 3004 wrote to memory of 928 3004 rundll32.exe wermgr.exe PID 3004 wrote to memory of 928 3004 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-119-0x0000000000000000-mapping.dmp
-
memory/928-120-0x0000024079D80000-0x0000024079DA8000-memory.dmpFilesize
160KB
-
memory/928-121-0x0000024079E90000-0x0000024079E91000-memory.dmpFilesize
4KB
-
memory/928-123-0x0000024079EC0000-0x0000024079EC2000-memory.dmpFilesize
8KB
-
memory/928-122-0x0000024079EC0000-0x0000024079EC2000-memory.dmpFilesize
8KB
-
memory/3004-115-0x0000000000000000-mapping.dmp
-
memory/3004-116-0x0000000000840000-0x0000000000879000-memory.dmpFilesize
228KB
-
memory/3004-117-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/3004-118-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB