Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    24-08-2020 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    375KB

  • MD5

    309c240336952e3a6afe08f91581aa76

  • SHA1

    7cc257d1dc641c5fc312c7694a1a7be7ce31cb46

  • SHA256

    621d7c1d19ccbaa8d56dbcb37e46f4437fa425ce92895acd87a6df9710f8b391

  • SHA512

    a7e68157c9d9e6a317fa5a898cf1b96bd884132e4634fecd495af74d5e40b72f54a85446730a0a0ac8379039146f1840229e420c5b7dd64b1eca8be0b09fb104

Score
10/10
trojanbankertrickbotevasion

Malware Config

Extracted

Family

trickbot

Version

1000098

Botnet

mac1

C2

79.106.41.9:449

94.250.252.146:443

62.109.18.206:443

62.109.26.193:443

78.24.223.50:443

94.250.252.162:443

92.53.78.209:443

92.53.66.115:443

62.109.16.70:443

62.109.23.229:443

62.109.17.100:443

82.146.47.221:443

195.133.144.43:443

194.87.92.217:443

95.213.194.234:443

195.133.147.44:443

194.87.238.149:443

78.155.206.154:443

185.80.130.195:443

94.250.252.168:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1416 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SYSTEM32\svchost.exe
        svchost.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3372
  • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
    C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
    1⤵
    • Executes dropped EXE
    PID:2080
    • C:\Windows\system32\svchost.exe
      svchost.exe
      2⤵
      • Modifies data under HKEY_USERS
      PID:3728
  • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
    C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
    1⤵
    • Executes dropped EXE
    PID:640
    • C:\Windows\system32\svchost.exe
      svchost.exe
      2⤵
        PID:852

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    1
    T1089

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      Download Submit
    • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      Download Submit
    • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      Download Submit
    • C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
      Download Submit
    • memory/640-12-0x00000000008C4000-0x00000000008C7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/852-13-0x0000000000000000-mapping.dmp
      Download
    • memory/2080-8-0x0000000000854000-0x0000000000857000-memory.dmp
      Filesize

      12KB

      Download
    • memory/3372-6-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3372-5-0x0000000000000000-mapping.dmp
      Download
    • memory/3728-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3888-0-0x0000000000620000-0x0000000000621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3948-4-0x00000000007B1000-0x00000000007B2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3948-1-0x0000000000000000-mapping.dmp
      Download