Analysis Overview
SHA256
a1dd74d7301bf8d504449071142c81113bcd4d0c88fee46e7bacf550495a72bc
Threat Level: Known bad
The file 87936f0b8f079c7f722ab91029cc3f8a was found to be: Known bad.
Malicious Activity Summary
Trickbot
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-01 22:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 22:12
Reported
2024-02-01 22:44
Platform
win11-20231215-en
Max time kernel
1798s
Max time network
1806s
Command Line
Signatures
Trickbot
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 2640 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1964 wrote to memory of 2640 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1964 wrote to memory of 2640 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2640 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wermgr.exe |
| PID 2640 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wermgr.exe |
| PID 2640 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wermgr.exe |
| PID 2640 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| PL | 91.237.161.87:443 | tcp | |
| TH | 118.173.233.64:443 | tcp | |
| IT | 185.17.105.236:443 | tcp | |
| BR | 45.239.233.131:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| KH | 45.201.136.3:443 | tcp | |
| BR | 177.10.90.29:443 | tcp | |
| BR | 186.225.119.170:443 | tcp | |
| ZA | 41.57.156.203:443 | tcp | |
| PL | 178.216.28.59:443 | tcp | |
| TR | 185.189.55.207:443 | tcp | |
| IN | 49.248.217.170:443 | tcp | |
| KR | 119.202.8.249:443 | tcp | |
| AR | 181.114.215.239:443 | tcp | |
| NA | 196.216.59.174:443 | tcp | |
| VN | 14.232.161.45:443 | tcp | |
| BR | 45.239.234.2:443 | tcp | |
| BR | 200.236.218.62:443 | tcp | |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| ES | 82.159.149.37:443 | tcp | |
| ZA | 105.30.26.50:443 | tcp | |
| IN | 103.122.228.44:443 | tcp | |
| KR | 220.82.64.198:443 | tcp | |
| ID | 202.165.47.106:443 | tcp | |
| BR | 143.0.208.20:443 | tcp | |
| ID | 222.124.16.74:443 | tcp | |
| FR | 62.75.198.178:443 | bdns.link | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| SE | 88.80.20.20:443 | bdns.pro | tcp |
| UA | 194.54.82.12:443 | bdns.pro | tcp |
| RU | 190.115.26.106:443 | bdns.pro | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| FR | 62.75.198.178:443 | bdns.link | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| SE | 88.80.20.20:443 | bdns.pro | tcp |
| UA | 194.54.82.12:443 | bdns.pro | tcp |
| RU | 190.115.26.106:443 | bdns.pro | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| PL | 91.237.161.87:443 | tcp | |
| TH | 118.173.233.64:443 | tcp | |
| IT | 185.17.105.236:443 | tcp | |
| BR | 45.239.233.131:443 | tcp | |
| KH | 45.201.136.3:443 | tcp | |
| BR | 177.10.90.29:443 | tcp | |
| BR | 186.225.119.170:443 | tcp | |
| ZA | 41.57.156.203:443 | tcp | |
| PL | 178.216.28.59:443 | tcp | |
| TR | 185.189.55.207:443 | tcp | |
| IN | 49.248.217.170:443 | tcp | |
| KR | 119.202.8.249:443 | tcp | |
| AR | 181.114.215.239:443 | tcp | |
| NA | 196.216.59.174:443 | tcp | |
| VN | 14.232.161.45:443 | tcp | |
| BR | 45.239.234.2:443 | tcp | |
| BR | 200.236.218.62:443 | tcp | |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| VN | 113.160.132.237:443 | 113.160.132.237 | tcp |
| ES | 82.159.149.37:443 | tcp | |
| ZA | 105.30.26.50:443 | tcp | |
| IN | 103.122.228.44:443 | tcp | |
| KR | 220.82.64.198:443 | tcp | |
| ID | 202.165.47.106:443 | tcp | |
| BR | 143.0.208.20:443 | tcp | |
| ID | 222.124.16.74:443 | tcp | |
| FR | 62.75.198.178:443 | bdns.link | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| UA | 194.54.82.12:443 | bdns.pro | tcp |
| SE | 88.80.20.20:443 | bdns.pro | tcp |
| RU | 190.115.26.106:443 | bdns.pro | tcp |
| DE | 3.64.163.50:443 | b-dns.se | tcp |
| US | 8.8.8.8:53 | bdns.at | udp |
| US | 8.8.8.8:53 | bdns.co | udp |
Files
memory/2640-0-0x00000000029C0000-0x0000000002C1D000-memory.dmp
memory/2640-1-0x0000000000EE0000-0x0000000000F20000-memory.dmp
memory/2640-2-0x0000000000F30000-0x0000000000F31000-memory.dmp
memory/2640-3-0x0000000010000000-0x0000000010003000-memory.dmp
memory/728-4-0x000001D086D30000-0x000001D086D31000-memory.dmp
memory/728-5-0x000001D086B60000-0x000001D086B88000-memory.dmp
memory/2640-6-0x0000000000EE0000-0x0000000000F20000-memory.dmp
memory/728-7-0x000001D086B60000-0x000001D086B88000-memory.dmp