Analysis Overview
SHA256
ff15a7acd64d2acc3a31b0fc6d639e4b2a69cc2f983e9de4dca767dcc00e1620
Threat Level: Known bad
The file 7df90229d7bdb64afb4279eb374267ba was found to be: Known bad.
Malicious Activity Summary
Trickbot
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-28 20:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 20:52
Reported
2024-01-28 20:55
Platform
win7-20231215-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Trickbot
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7df90229d7bdb64afb4279eb374267ba.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7df90229d7bdb64afb4279eb374267ba.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| RS | 46.99.175.217:443 | tcp | |
| ES | 62.99.79.77:443 | tcp | |
| BR | 179.189.229.254:443 | tcp | |
| US | 65.152.201.203:443 | tcp | |
| RS | 46.99.188.223:443 | tcp | |
| US | 24.162.214.166:443 | tcp | |
| US | 45.36.99.184:443 | tcp | |
| RS | 46.99.175.149:443 | tcp |
Files
memory/1968-0-0x00000000008A0000-0x00000000008DB000-memory.dmp
memory/1968-3-0x0000000000860000-0x0000000000898000-memory.dmp
memory/1968-5-0x00000000008E0000-0x0000000000919000-memory.dmp
memory/1968-8-0x0000000000970000-0x00000000009A7000-memory.dmp
memory/1968-11-0x00000000009B0000-0x00000000009F4000-memory.dmp
memory/1968-12-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/1968-13-0x00000000002D0000-0x00000000002D3000-memory.dmp
memory/1344-14-0x0000000000110000-0x0000000000111000-memory.dmp
memory/1344-15-0x0000000000060000-0x0000000000088000-memory.dmp
memory/1968-16-0x00000000009B0000-0x00000000009F4000-memory.dmp
memory/1968-17-0x00000000002D0000-0x00000000002D3000-memory.dmp
memory/1344-18-0x0000000000060000-0x0000000000088000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 20:52
Reported
2024-01-28 20:55
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Trickbot
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7df90229d7bdb64afb4279eb374267ba.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7df90229d7bdb64afb4279eb374267ba.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 640
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RS | 46.99.175.149:443 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 24.162.214.166:443 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RS | 46.99.175.217:443 | tcp | |
| US | 65.152.201.203:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| ES | 62.99.79.77:443 | tcp | |
| PL | 185.56.175.122:443 | tcp | |
| ES | 82.159.149.52:443 | tcp |
Files
memory/884-5-0x00000000023F0000-0x0000000002429000-memory.dmp
memory/884-4-0x0000000000A20000-0x0000000000A58000-memory.dmp
memory/884-8-0x0000000002540000-0x0000000002577000-memory.dmp
memory/884-0-0x00000000023B0000-0x00000000023EB000-memory.dmp
memory/884-11-0x0000000002580000-0x00000000025C4000-memory.dmp
memory/884-13-0x0000000002430000-0x0000000002433000-memory.dmp
memory/884-12-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/5028-15-0x000002311AD70000-0x000002311AD98000-memory.dmp
memory/5028-14-0x000002311AF10000-0x000002311AF11000-memory.dmp
memory/884-16-0x0000000000A00000-0x0000000000A13000-memory.dmp
memory/884-17-0x0000000002580000-0x00000000025C4000-memory.dmp
memory/5028-18-0x000002311AD70000-0x000002311AD98000-memory.dmp