Overview

overview

10

Static

static

cdde7cd544...9b.exe

windows7_x64

10

cdde7cd544...9b.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdde7cd544a463e3ff0aad3e81b4cb9b.exe

  • Size

    628KB

  • MD5

    7de3134c1fad9d58f6ba45e1ba56fc87

  • SHA1

    6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

  • SHA256

    5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

  • SHA512

    2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

Score
10/10
trickbottot635bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000491

Botnet

tot635

C2

23.94.70.12:443

5.182.210.132:443

5.2.75.137:443

172.82.152.136:443

198.23.252.117:443

194.5.250.62:443

185.14.30.176:443

195.123.245.127:443

195.54.162.179:443

184.164.137.190:443

198.46.161.213:443

64.44.51.106:443

107.172.251.159:443

85.143.220.41:443

107.172.29.108:443

107.172.208.51:443

107.181.187.221:443

190.214.13.2:449

181.140.173.186:449

181.129.104.139:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdde7cd544a463e3ff0aad3e81b4cb9b.exe
    "C:\Users\Admin\AppData\Local\Temp\cdde7cd544a463e3ff0aad3e81b4cb9b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
      C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1852
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B885DA56-5D59-4168-AD71-36AAC5191D4B} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:1368

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        MD5

        7de3134c1fad9d58f6ba45e1ba56fc87

        SHA1

        6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

        SHA256

        5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

        SHA512

        2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        MD5

        7de3134c1fad9d58f6ba45e1ba56fc87

        SHA1

        6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

        SHA256

        5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

        SHA512

        2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        MD5

        7de3134c1fad9d58f6ba45e1ba56fc87

        SHA1

        6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

        SHA256

        5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

        SHA512

        2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

        Download Submit
      • \Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        MD5

        7de3134c1fad9d58f6ba45e1ba56fc87

        SHA1

        6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

        SHA256

        5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

        SHA512

        2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

        Download Submit
      • \Users\Admin\AppData\Roaming\sysdefragler\cdde9cd744a483e3ff0aad3e81b4cb9b.exe
        MD5

        7de3134c1fad9d58f6ba45e1ba56fc87

        SHA1

        6ba596a6f9c79b4cb1e02b297470dea6f7f1102e

        SHA256

        5c864556e2b7a2796889182b40da14f88dbf47029e2304b40615d1db8d95c731

        SHA512

        2d37a80a361231f2d4d0181995e16a94613a8e7c8ed4b66540f37a8a6156bafcc54371cf14b5fed28eec5a13c7b76aa7c9a3f97a6a208e768778200fbd7fa52f

        Download Submit
      • memory/300-0-0x0000000001F00000-0x0000000001F2E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1360-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1368-12-0x0000000000000000-mapping.dmp
        Download
      • memory/1852-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1904-3-0x0000000000000000-mapping.dmp
        Download