Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
02-07-2023 12:56
Static task
static1
Behavioral task
behavioral1
Sample
397263-mon48_crdll.dll
Resource
win7-20230621-en
General
-
Target
397263-mon48_crdll.dll
-
Size
329KB
-
MD5
48cab21fcbe254e7c83f4c1d455a39dc
-
SHA1
b96c1f765abb14eb401cacab6f6e203c3a255df9
-
SHA256
f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73
-
SHA512
0375a26a2d6d8990d202b75b4cb6797d03300ddc077c4dcb05778365212644ee49ce6e437fde0b77e1b8179d01ffad028635869d2f3897333b85471724d15ebc
-
SSDEEP
6144:aNwmpjb5sDo7TgHLC8X9cL4MoOm/ELg22LCs+7/WRE:aFHs5C8e4MPgELILCs8/EE
Malware Config
Extracted
trickbot
100011
mon48
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
-
autorunName:pwgrab
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2036-55-0x0000000000270000-0x00000000002A7000-memory.dmp templ_dll -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1816 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2036 1148 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2020 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 2020 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 2020 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 2020 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe PID 2036 wrote to memory of 1816 2036 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\397263-mon48_crdll.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\397263-mon48_crdll.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab50E1.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
memory/1816-57-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1816-60-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/1816-62-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/2036-54-0x00000000002F0000-0x0000000000331000-memory.dmpFilesize
260KB
-
memory/2036-55-0x0000000000270000-0x00000000002A7000-memory.dmpFilesize
220KB
-
memory/2036-56-0x00000000002F0000-0x0000000000331000-memory.dmpFilesize
260KB
-
memory/2036-58-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2036-59-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2036-61-0x00000000002F0000-0x0000000000331000-memory.dmpFilesize
260KB