Overview

overview

10

Static

static

127661.exe

windows7_x64

10

127661.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    24-08-2020 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    127661.exe

  • Size

    375KB

  • MD5

    309c240336952e3a6afe08f91581aa76

  • SHA1

    7cc257d1dc641c5fc312c7694a1a7be7ce31cb46

  • SHA256

    621d7c1d19ccbaa8d56dbcb37e46f4437fa425ce92895acd87a6df9710f8b391

  • SHA512

    a7e68157c9d9e6a317fa5a898cf1b96bd884132e4634fecd495af74d5e40b72f54a85446730a0a0ac8379039146f1840229e420c5b7dd64b1eca8be0b09fb104

Score
10/10
evasiontrojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000098

Botnet

mac1

C2

79.106.41.9:449

94.250.252.146:443

62.109.18.206:443

62.109.26.193:443

78.24.223.50:443

94.250.252.162:443

92.53.78.209:443

92.53.66.115:443

62.109.16.70:443

62.109.23.229:443

62.109.17.100:443

82.146.47.221:443

195.133.144.43:443

194.87.92.217:443

95.213.194.234:443

195.133.147.44:443

194.87.238.149:443

78.155.206.154:443

185.80.130.195:443

94.250.252.168:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1431 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\127661.exe
    "C:\Users\Admin\AppData\Local\Temp\127661.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Roaming\services\237772.exe
      C:\Users\Admin\AppData\Roaming\services\237772.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\system32\svchost.exe
        svchost.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0C8BD2F6-A286-46CE-BE43-154C969488F8} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1928
      • C:\Users\Admin\AppData\Roaming\services\237772.exe
        C:\Users\Admin\AppData\Roaming\services\237772.exe
        2⤵
        • Executes dropped EXE
        PID:1948
        • C:\Windows\system32\svchost.exe
          svchost.exe
          3⤵
            PID:1764
        • C:\Users\Admin\AppData\Roaming\services\237772.exe
          C:\Users\Admin\AppData\Roaming\services\237772.exe
          2⤵
          • Executes dropped EXE
          PID:1632
          • C:\Windows\system32\svchost.exe
            svchost.exe
            3⤵
            • Modifies data under HKEY_USERS
            PID:1528

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\services\237772.exe
        Download Submit
      • C:\Users\Admin\AppData\Roaming\services\237772.exe
        Download Submit
      • C:\Users\Admin\AppData\Roaming\services\237772.exe
        Download Submit
      • C:\Users\Admin\AppData\Roaming\services\client_id
        Download Submit
      • \Users\Admin\AppData\Roaming\services\237772.exe
        Download Submit
      • memory/868-4-0x0000000000751000-0x0000000000752000-memory.dmp
        Filesize

        4KB

        Download
      • memory/868-2-0x0000000000000000-mapping.dmp
        Download
      • memory/1108-6-0x0000000140000000-0x0000000140022000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1108-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1528-15-0x0000000000000000-mapping.dmp
        Download
      • memory/1600-0-0x00000000006A1000-0x00000000006A2000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1632-12-0x0000000000000000-mapping.dmp
        Download
      • memory/1632-14-0x0000000000721000-0x0000000000722000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1764-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1948-9-0x0000000000751000-0x0000000000752000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1948-7-0x0000000000000000-mapping.dmp
        Download