Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 23:17
General
-
Target
dZOiYPd.bin.exe
-
Size
500KB
-
MD5
b1253684096a6ab41d9017d3d02b265a
-
SHA1
68e643fa0a4dd16fc32b587535f3ae8958612b10
-
SHA256
a3f763c730e23fab3523b4a501f4590abcc4fd20306cba116c3b726a0d198367
-
SHA512
8b7d97bd4acf405b3c4f8c0a43acb6bb1b4326e601a3fcae0226c483d0cebe132298fe68bfdb41ddef47e0a1cc8ebe62d98fa091f0a551d88822f2fc26371518
Score
10/10
Malware Config
Extracted
Family
trickbot
Version
1000512
Botnet
ono52
C2
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dZOiYPd.bin.exe"C:\Users\Admin\AppData\Local\Temp\dZOiYPd.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-0-0x00000000026A0000-0x00000000026D3000-memory.dmpFilesize
204KB
-
memory/2580-1-0x0000000000000000-mapping.dmp