Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
7c44e0a43e508476eda5f699d39a0c7f.dll
Resource
win7-20231215-en
General
-
Target
7c44e0a43e508476eda5f699d39a0c7f.dll
-
Size
656KB
-
MD5
7c44e0a43e508476eda5f699d39a0c7f
-
SHA1
f7233d983272e37c5c74949dafbb07ff767b8bf7
-
SHA256
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
-
SHA512
0e190f758c115e66aa1f21bd7213a41f93d088d4b5ea6b06dba7539996818983a424383b6bbec72c4fbfa9f2d322e2308cbe0c6a972cbac4220ffd8c85b46954
-
SSDEEP
12288:5bjfhtlWxycV80o3xKA3cHfnoEQOuG/ENYIm8MxxO9qrcOJz8:5bj9ZcG0CxKA3cHPoEQRjNXNYxtnF
Malware Config
Extracted
trickbot
100019
rob120
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3292 4916 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4244 wrote to memory of 4916 4244 rundll32.exe 81 PID 4244 wrote to memory of 4916 4244 rundll32.exe 81 PID 4244 wrote to memory of 4916 4244 rundll32.exe 81 PID 4916 wrote to memory of 2404 4916 rundll32.exe 87 PID 4916 wrote to memory of 2404 4916 rundll32.exe 87 PID 4916 wrote to memory of 2404 4916 rundll32.exe 87 PID 4916 wrote to memory of 2764 4916 rundll32.exe 90 PID 4916 wrote to memory of 2764 4916 rundll32.exe 90 PID 4916 wrote to memory of 2764 4916 rundll32.exe 90 PID 4916 wrote to memory of 2764 4916 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c44e0a43e508476eda5f699d39a0c7f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c44e0a43e508476eda5f699d39a0c7f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵PID:2404
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 6723⤵
- Program crash
PID:3292
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4916 -ip 49161⤵PID:4132