Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 00:36
Static task
static1
General
-
Target
trickbot.dll
-
Size
2.7MB
-
MD5
878c538a3acc666f96b74e987a3e579f
-
SHA1
abffed857f15d8a80e64aaf13667add9033c2aae
-
SHA256
38bda9baac921f012075d800e5a38f1f387c6c7b4956d1ce48296e759a73d09f
-
SHA512
3019872ba67859b3cd6df26367532df0ebfb40e502e33475794fe9624712b899c8ad292e3b2a3a2fa5823a3291756770c1334d3d1089f2b3e6acfc623d8bd5c7
Malware Config
Extracted
trickbot
100018
rob109
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 444 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3896 wrote to memory of 4816 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 4816 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 4816 3896 rundll32.exe rundll32.exe PID 4816 wrote to memory of 3456 4816 rundll32.exe cmd.exe PID 4816 wrote to memory of 3456 4816 rundll32.exe cmd.exe PID 4816 wrote to memory of 3456 4816 rundll32.exe cmd.exe PID 4816 wrote to memory of 444 4816 rundll32.exe wermgr.exe PID 4816 wrote to memory of 444 4816 rundll32.exe wermgr.exe PID 4816 wrote to memory of 444 4816 rundll32.exe wermgr.exe PID 4816 wrote to memory of 444 4816 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\trickbot.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\trickbot.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-144-0x0000000000000000-mapping.dmp
-
memory/444-145-0x000001C3E3BE0000-0x000001C3E3C08000-memory.dmpFilesize
160KB
-
memory/4816-130-0x0000000000000000-mapping.dmp
-
memory/4816-131-0x0000000002EC0000-0x0000000002EFB000-memory.dmpFilesize
236KB
-
memory/4816-135-0x0000000003030000-0x0000000003069000-memory.dmpFilesize
228KB
-
memory/4816-138-0x0000000003070000-0x00000000030A7000-memory.dmpFilesize
220KB
-
memory/4816-141-0x0000000010000000-0x000000001015F000-memory.dmpFilesize
1.4MB
-
memory/4816-142-0x0000000002CB0000-0x0000000002D3D000-memory.dmpFilesize
564KB
-
memory/4816-143-0x00000000030B0000-0x00000000030F4000-memory.dmpFilesize
272KB
-
memory/4816-146-0x0000000002CB0000-0x0000000002D3D000-memory.dmpFilesize
564KB
-
memory/4816-147-0x00000000030B0000-0x00000000030F4000-memory.dmpFilesize
272KB
-
memory/4816-148-0x0000000010000000-0x000000001015F000-memory.dmpFilesize
1.4MB