Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
7c44e0a43e508476eda5f699d39a0c7f.dll
Resource
win7-20231215-en
General
-
Target
7c44e0a43e508476eda5f699d39a0c7f.dll
-
Size
656KB
-
MD5
7c44e0a43e508476eda5f699d39a0c7f
-
SHA1
f7233d983272e37c5c74949dafbb07ff767b8bf7
-
SHA256
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
-
SHA512
0e190f758c115e66aa1f21bd7213a41f93d088d4b5ea6b06dba7539996818983a424383b6bbec72c4fbfa9f2d322e2308cbe0c6a972cbac4220ffd8c85b46954
-
SSDEEP
12288:5bjfhtlWxycV80o3xKA3cHfnoEQOuG/ENYIm8MxxO9qrcOJz8:5bj9ZcG0CxKA3cHPoEQRjNXNYxtnF
Malware Config
Extracted
trickbot
100019
rob120
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1836 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2080 wrote to memory of 2144 2080 rundll32.exe 28 PID 2144 wrote to memory of 2328 2144 rundll32.exe 29 PID 2144 wrote to memory of 2328 2144 rundll32.exe 29 PID 2144 wrote to memory of 2328 2144 rundll32.exe 29 PID 2144 wrote to memory of 2328 2144 rundll32.exe 29 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30 PID 2144 wrote to memory of 1836 2144 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c44e0a43e508476eda5f699d39a0c7f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c44e0a43e508476eda5f699d39a0c7f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵PID:2328
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-