Overview

overview

10

Static

static

120 seconds - Win. 10

windows10_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    18/07/2020, 02:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9170m9n7wy.exe

  • Size

    407KB

  • MD5

    08d2ed581121a8fbc571a59575f49551

  • SHA1

    bda7427ce7a2ff32487382f287131f100897c93d

  • SHA256

    68389a5a69824e2e45224f87af64703e5b3f83af859ae843cbf356a641904164

  • SHA512

    55be89710132d39a24408d223794d45d7c384eb81a4dfddee4098ea87727a6914aaa0888ea35e20982746cc5e4b697fdc3531049f25d56144c7ba3fd69d0cff3

Score
10/10
trojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

ono56

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot

Processes

  • C:\Users\Admin\AppData\Local\Temp\9170m9n7wy.exe
    "C:\Users\Admin\AppData\Local\Temp\9170m9n7wy.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3836

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3100-0-0x0000000000610000-0x0000000000643000-memory.dmp

          Filesize

          204KB

          Download