Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 17:54
Static task
static1
Behavioral task
behavioral1
Sample
8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll
Resource
win7-20220812-en
General
-
Target
8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll
-
Size
341KB
-
MD5
3fc659307c771e566dbc83bddf956d08
-
SHA1
b83c1fecf23b75a9d97a58c2b526d105e31b72d2
-
SHA256
8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e
-
SHA512
5f1d07f91b176145ec206c7e831702c2d07ccb3dc6df92d657f7027b67a6e35391f8ae0410742ce9fdfd1f03252caf2803b37abf9d84a5034296476ebd6bad7a
-
SSDEEP
6144:/D4xA1AsitoTemJ5HMihpmtXNkTAzYjS8yfaJO22Yv888vX7QGkWGfx:/Dv1ANuCmJ5HRpmgcYO8yfaJdD
Malware Config
Extracted
trickbot
100011
mon73
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
-
autorunName:pwgrab
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2028-56-0x00000000001C0000-0x00000000001F7000-memory.dmp templ_dll -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1448 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 2028 980 rundll32.exe rundll32.exe PID 2028 wrote to memory of 1264 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1264 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1264 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1264 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe PID 2028 wrote to memory of 1448 2028 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1448-58-0x0000000000000000-mapping.dmp
-
memory/1448-59-0x0000000000100000-0x0000000000127000-memory.dmpFilesize
156KB
-
memory/1448-61-0x0000000000100000-0x0000000000127000-memory.dmpFilesize
156KB
-
memory/2028-54-0x0000000000000000-mapping.dmp
-
memory/2028-55-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/2028-56-0x00000000001C0000-0x00000000001F7000-memory.dmpFilesize
220KB
-
memory/2028-57-0x0000000000200000-0x0000000000241000-memory.dmpFilesize
260KB
-
memory/2028-60-0x0000000000200000-0x0000000000241000-memory.dmpFilesize
260KB