Overview

overview

10

Static

static

Basic

windows7_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    17-10-2020 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6.vbe

  • Size

    636KB

  • MD5

    15810fb5f100a3a2d21e4c2288dc1a88

  • SHA1

    834308004280f11a459f764d9e2339c34dc5d7f1

  • SHA256

    136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6

  • SHA512

    431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87

Score
10/10
trojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Loads dropped DLL 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
      2⤵
        PID:1776
      • C:\Windows\System32\certutil.exe
        "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
        2⤵
          PID:2020
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1100
          • C:\Windows\SysWOW64\regsvr32.exe
            c:\drad\ONKVD.dll
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1332
            • C:\Windows\system32\wermgr.exe
              C:\Windows\system32\wermgr.exe
              4⤵
                PID:832
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:460

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Drad\ONKVD.dll
          MD5

          faf55f62d1967375625d0e402c34ee0a

          SHA1

          02c8f9055c69a3386e7dbfd2eafad3beab3779fb

          SHA256

          c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e

          SHA512

          227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0HO1P3U7.txt
          MD5

          e8e28716cf9ec11d575d2a49e3f2d28b

          SHA1

          d3e4bced8294e2d8c353728277b059c2f49270b6

          SHA256

          ce804c5caf3e6d9e24f1c9ee066456df4973222f80c6123ae7f21a5b1bc0fb43

          SHA512

          b225197130ea7fb80eb2153cf6ad96bf02ee48cf893b2a27ae327da7f8001a90f8a30b2f5bc391bade697f563ddacc75ba4ef371fa62df01c1e938bb81a71855

          Download Submit
        • \??\c:\drad\ONKVD.dll
          MD5

          0828f63b9396fead9231cae937694a37

          SHA1

          66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

          SHA256

          fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

          SHA512

          dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

          Download Submit
        • \Drad\ONKVD.dll
          MD5

          0828f63b9396fead9231cae937694a37

          SHA1

          66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

          SHA256

          fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

          SHA512

          dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

          Download Submit
        • memory/460-2-0x0000000000000000-mapping.dmp
          Download
        • memory/1100-5-0x0000000000000000-mapping.dmp
          Download
        • memory/1332-11-0x0000000000260000-0x0000000000296000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1332-10-0x0000000000220000-0x0000000000257000-memory.dmp
          Filesize

          220KB

          Download
        • memory/1332-8-0x0000000000000000-mapping.dmp
          Download
        • memory/1504-6-0x0000000002640000-0x0000000002644000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1776-0-0x0000000000000000-mapping.dmp
          Download
        • memory/1852-1-0x000007FEF7AD0000-0x000007FEF7D4A000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/2020-3-0x0000000000000000-mapping.dmp
          Download