Analysis Overview
SHA256
d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79
Threat Level: Known bad
The file d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79 was found to be: Known bad.
Malicious Activity Summary
Gozi
Trickbot
Trickbot family
Gozi family
Templ.dll packer
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-21 17:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
147s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000631a48406a4a78a6a1edc99e44dffc201c9ca64e408b35647134fe12b6603658000000000e800000000200002000000088f6723722eff073cc5b2468fe93bd47078c9126f853fd10c4e780b8e2d03a8620000000d0806b11510ada4fa14650714725ee99ddcab3fda067855272701951b53f689940000000dfc17e0ec96abb51d88198a1fa350147a6f05308045ff96a15f6d889366c03954060c15e846cf485a559f2f1aad9972f8927f633018d1de05cb6907b525003bc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3703586967" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e071c6ddce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000bd6880953a7f43e218f3c8bc942b7cb4da999a4602dc054cd4519fea933ed1d8000000000e8000000002000020000000abf6f2e22fc0e1c4b55e6d6d8d7e8b48d49e3444974147d2a4fcd8af0826e02c200000006b0350ce5b3f8d8efeebde24c39a9c4842a121b8279e8483c404bf5a28653cd8400000004345d86c2e5e6940753d8e240b53c1481973f67043c86cba8d7924d0b721b707a55043fb728b17f59ca10a17f5344879e0cdb55f43c65842c9cb7628384264ca | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3703586967" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09dcdddce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08603F2B-BFC2-11EF-AEE2-E26222BAF6A3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3876 wrote to memory of 1964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3876 wrote to memory of 1964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3876 wrote to memory of 1964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3404 wrote to memory of 4076 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3404 wrote to memory of 4076 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3404 wrote to memory of 4076 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3404 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api10.laptok.at | udp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| US | 8.8.8.8:53 | 239.255.169.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1964-0-0x0000000010031000-0x0000000010035000-memory.dmp
memory/1964-1-0x0000000010000000-0x0000000010040000-memory.dmp
memory/1964-2-0x0000000010000000-0x0000000010040000-memory.dmp
memory/1964-3-0x0000000010000000-0x0000000010040000-memory.dmp
memory/1964-4-0x0000000010031000-0x0000000010035000-memory.dmp
memory/1964-5-0x0000000010000000-0x0000000010040000-memory.dmp
memory/1964-6-0x0000000001430000-0x0000000001440000-memory.dmp
memory/1964-9-0x0000000010000000-0x0000000010040000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A92B941-BFC2-11EF-AF2A-7E3D785E6C2E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a000000000200000000001066000000010000200000007bd6df4eb20340cd9611e8e34dd70325d3b2c9f06ba880e8b258e95232fd0e72000000000e80000000020000200000001ee33c30e5e655b1895da841756dbecbbf383ad07ff7e6b8e9900bd4a5fd72bc200000000574c94fad0dcd9edf43a4a6736d1e7aec1aa3545eff64313a2296632b73b7a84000000025aad4877af783f431a111fed60d285110b2bddb52f388d2193d006d23da4e2c34ca93d0665614ebd9a3dfb0b1476128d163cf3a58f27c70344d3f8362102fa3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50133ef0ce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4010603837" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a0000000002000000000010660000000100002000000059679131cb513c011998db34ad2c095da1c931c672c22b2e55320602d825b1bd000000000e8000000002000020000000d80a4fbe01518d78977b803946485ebf1d1f612b673b4ca0c0a26583c7968aed20000000dfa1822ba16ca63e7af1e34963b7fe7fb1afd7ec76568e25ea14dfe657df50da40000000a2645cf419bb500bd2b9ffe4a806afa853c7ecd16afde48b854a033b8e2dfdb4b23a30ad96ba96aa90cb51f8180a560a0096392b413b0293cee71a9434e739ab | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4010603837" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308947f0ce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 4284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2684 wrote to memory of 4284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2684 wrote to memory of 4284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1264 wrote to memory of 2236 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1264 wrote to memory of 2236 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1264 wrote to memory of 2236 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api10.laptok.at | udp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| US | 8.8.8.8:53 | 239.255.169.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
Files
memory/4284-0-0x0000000010000000-0x0000000012019000-memory.dmp
memory/4284-1-0x0000000010000000-0x0000000012019000-memory.dmp
memory/4284-2-0x0000000002AD0000-0x0000000004AE3000-memory.dmp
memory/4284-3-0x0000000010000000-0x0000000012013000-memory.dmp
memory/4284-4-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/4284-7-0x0000000010000000-0x0000000012019000-memory.dmp
memory/4284-8-0x0000000002AD0000-0x0000000004AE3000-memory.dmp
memory/4284-9-0x0000000010000000-0x0000000012013000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 184 wrote to memory of 1084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 184 wrote to memory of 1084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 184 wrote to memory of 1084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1084 wrote to memory of 2652 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1084 wrote to memory of 2652 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1084 wrote to memory of 3500 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1084 wrote to memory of 3500 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1084 wrote to memory of 3500 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1084 wrote to memory of 3500 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| DE | 45.155.173.242:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| BR | 45.230.244.20:443 | 45.230.244.20 | tcp |
| US | 8.8.8.8:53 | 20.244.230.45.in-addr.arpa | udp |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 8.8.8.8:53 | 96.194.8.193.in-addr.arpa | udp |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| MD | 185.163.45.138:443 | tcp | |
| BR | 186.250.157.116:443 | tcp | |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
memory/1084-1-0x0000000002E00000-0x0000000002E37000-memory.dmp
memory/1084-0-0x0000000002F70000-0x0000000002FB1000-memory.dmp
memory/1084-2-0x0000000002F70000-0x0000000002FB1000-memory.dmp
memory/1084-4-0x0000000010000000-0x0000000010003000-memory.dmp
memory/1084-3-0x0000000002E40000-0x0000000002E41000-memory.dmp
memory/3500-5-0x000002AA3A990000-0x000002AA3A9B7000-memory.dmp
memory/3500-6-0x000002AA3AB30000-0x000002AA3AB31000-memory.dmp
memory/1084-7-0x0000000002F70000-0x0000000002FB1000-memory.dmp
memory/1084-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/3500-9-0x000002AA3A990000-0x000002AA3A9B7000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240903-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.155.173.242:443 | tcp | |
| US | 108.170.20.75:443 | tcp | |
| HN | 200.52.147.93:443 | tcp | |
| RO | 194.5.249.156:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp |
Files
memory/2372-0-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2372-1-0x0000000000180000-0x00000000001B6000-memory.dmp
memory/2372-2-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2372-4-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2372-3-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2020-5-0x0000000000060000-0x0000000000087000-memory.dmp
memory/2020-6-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2372-7-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2372-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2020-9-0x0000000000060000-0x0000000000087000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4712 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4712 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4712 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1628 wrote to memory of 2020 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1628 wrote to memory of 2020 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1628 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1628 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1628 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
| PID 1628 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 142.202.191.164:443 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| BR | 45.230.244.20:443 | 45.230.244.20 | tcp |
| US | 8.8.8.8:53 | 20.244.230.45.in-addr.arpa | udp |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 8.8.8.8:53 | 96.194.8.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 193.8.194.96:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 193.8.194.96:443 | tcp | |
| HN | 200.52.147.93:443 | tcp | |
| FR | 134.119.186.202:443 | 134.119.186.202 | tcp |
| DE | 45.155.173.242:443 | tcp | |
| US | 8.8.8.8:53 | 202.186.119.134.in-addr.arpa | udp |
| N/A | 36.94.62.207:443 | tcp |
Files
memory/1628-0-0x0000000000920000-0x0000000000961000-memory.dmp
memory/1628-1-0x00000000008E0000-0x0000000000916000-memory.dmp
memory/1628-2-0x0000000000920000-0x0000000000961000-memory.dmp
memory/1628-4-0x0000000010000000-0x0000000010003000-memory.dmp
memory/1628-3-0x0000000002130000-0x0000000002131000-memory.dmp
memory/4236-5-0x000001E06B2A0000-0x000001E06B2A1000-memory.dmp
memory/4236-6-0x000001E06B100000-0x000001E06B127000-memory.dmp
memory/1628-7-0x0000000000920000-0x0000000000961000-memory.dmp
memory/1628-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/4236-9-0x000001E06B100000-0x000001E06B127000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Trickbot
Trickbot family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3220 wrote to memory of 3728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3220 wrote to memory of 3728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3220 wrote to memory of 3728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3728 -ip 3728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3728-0-0x0000000010000000-0x000000001405E000-memory.dmp
memory/3728-1-0x0000000001580000-0x00000000015C1000-memory.dmp
memory/3728-2-0x0000000001580000-0x00000000015C1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20241010-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.155.173.242:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| BR | 186.250.157.116:443 | tcp | |
| RO | 194.5.249.156:443 | tcp | |
| HN | 200.52.147.93:443 | tcp |
Files
memory/2224-1-0x0000000000180000-0x00000000001B7000-memory.dmp
memory/2224-0-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2224-2-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2224-3-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2912-4-0x00000000000E0000-0x0000000000107000-memory.dmp
memory/2912-5-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2224-6-0x00000000001C0000-0x0000000000201000-memory.dmp
memory/2224-7-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2912-8-0x00000000000E0000-0x0000000000107000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240903-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1
Network
Files
memory/2488-0-0x0000000010031000-0x0000000010035000-memory.dmp
memory/2488-1-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-2-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-3-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-4-0x0000000010031000-0x0000000010035000-memory.dmp
memory/2488-5-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-7-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-9-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2488-11-0x00000000001A0000-0x00000000001B0000-memory.dmp
memory/2488-13-0x0000000010000000-0x0000000010040000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240903-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1
Network
Files
memory/2228-0-0x0000000010000000-0x0000000012019000-memory.dmp
memory/2228-1-0x0000000010000000-0x0000000012019000-memory.dmp
memory/2228-2-0x0000000010000000-0x0000000012019000-memory.dmp
memory/2228-3-0x0000000010000000-0x0000000012019000-memory.dmp
memory/2228-5-0x0000000000290000-0x00000000002A0000-memory.dmp
memory/2228-8-0x0000000010000000-0x0000000012019000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0aecbd7ce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3602646286" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e510000000002000000000010660000000100002000000084c5182f7eef273accd2c344c3536cf4d6ba91fe6e8cbc922398c571adeefbbd000000000e8000000002000020000000a299e529cc35792724e09fd11912af801613c0de436fb68038d1b001de99e54f200000006ac3bf6182739938fa6ae68d10586752d5451e0d9024dc9fcaf48e3a297c4019400000001d384e8bba2a75ccb5452ac9d049adfd61285b6d1902f7210a3a03e6d0a62cde45e7b97f6a830ae95e74846ead8a0464e384fda25622fea28fa851b1bc9736c8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e51000000000200000000001066000000010000200000007406322f2b850bd09dff03f079b54836d28ba5c84cbe3be81c37d63324db7fab000000000e8000000002000020000000f4a57eac1f8d56bb6fe0132194dbe5eb78a1761ede0ec903a99c9c123c18a55d2000000019cdae9a4bae245b76b565e28771e7427bbb6b263bac3158a7a3591c926df7c140000000471942e889b34d6b4b8f1675cbc5a89e652a3f5b5e9972409cdc8ac2dd4bd46344ff9d1991bf39fc14f74bd9a1f4306dbf8d5157964fb3594267005b1d88c888 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f3c6d7ce53db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{025C02BE-BFC2-11EF-A7EA-5227CD58F2D9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3602646286" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1660 wrote to memory of 336 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1660 wrote to memory of 336 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1660 wrote to memory of 336 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api10.laptok.at | udp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| SG | 54.169.255.239:80 | api10.laptok.at | tcp |
| US | 8.8.8.8:53 | 239.255.169.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/540-0-0x0000000010091000-0x0000000010095000-memory.dmp
memory/540-1-0x0000000010000000-0x000000001009C000-memory.dmp
memory/540-2-0x0000000010000000-0x000000001009C000-memory.dmp
memory/540-3-0x0000000001620000-0x0000000001630000-memory.dmp
memory/540-6-0x0000000010000000-0x000000001009C000-memory.dmp
memory/540-7-0x0000000010091000-0x0000000010095000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20241010-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.155.173.242:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| MD | 185.163.45.138:443 | tcp | |
| US | 193.8.194.96:443 | tcp | |
| US | 193.8.194.96:443 | tcp |
Files
memory/1236-1-0x0000000000670000-0x00000000006A7000-memory.dmp
memory/1236-2-0x0000000000710000-0x0000000000751000-memory.dmp
memory/1236-0-0x0000000000710000-0x0000000000751000-memory.dmp
memory/1236-4-0x0000000010000000-0x0000000010003000-memory.dmp
memory/1236-3-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/2804-5-0x0000000000060000-0x0000000000087000-memory.dmp
memory/2804-6-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1236-7-0x0000000000710000-0x0000000000751000-memory.dmp
memory/1236-8-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2804-9-0x0000000000060000-0x0000000000087000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1288 wrote to memory of 2552 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4008 wrote to memory of 2052 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4008 wrote to memory of 2052 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4008 wrote to memory of 2052 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240903-en
Max time kernel
127s
Max time network
137s
Command Line
Signatures
Trickbot
Trickbot family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| RO | 194.5.249.156:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| FR | 134.119.186.202:443 | tcp | |
| US | 108.170.20.75:443 | tcp | |
| MD | 185.163.45.138:443 | tcp |
Files
memory/2272-0-0x0000000010000000-0x000000001405E000-memory.dmp
memory/2272-1-0x0000000000230000-0x0000000000271000-memory.dmp
memory/2272-2-0x0000000000230000-0x0000000000271000-memory.dmp
memory/1072-3-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2272-4-0x0000000000290000-0x0000000000293000-memory.dmp
memory/1072-5-0x00000000000E0000-0x0000000000107000-memory.dmp
memory/2272-6-0x0000000000230000-0x0000000000271000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win7-20240708-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Gozi
Gozi family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1
Network
Files
memory/2280-0-0x0000000010091000-0x0000000010095000-memory.dmp
memory/2280-2-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-1-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-3-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-4-0x0000000010091000-0x0000000010095000-memory.dmp
memory/2280-5-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-6-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-7-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-8-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-13-0x0000000010000000-0x000000001009C000-memory.dmp
memory/2280-15-0x0000000000130000-0x0000000000140000-memory.dmp
memory/2280-18-0x0000000010000000-0x000000001009C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-21 17:34
Reported
2024-12-21 17:37
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
150s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3240 wrote to memory of 4432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3240 wrote to memory of 4432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3240 wrote to memory of 4432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4432-0-0x0000000000FD0000-0x0000000001011000-memory.dmp
memory/4432-2-0x0000000000FD0000-0x0000000001011000-memory.dmp
memory/4432-1-0x0000000000F90000-0x0000000000FC7000-memory.dmp