Overview

overview

10

Static

static

30 mins

windows7_x64

10

30 mins Win10

windows10_x64

10

Resubmissions

23-11-2020 11:51

201123-ypblgj22k2 10

20-11-2020 11:47

201120-y2cng92bq6 10

20-11-2020 11:44

201120-5yd27gn712 10

Analysis

  • max time kernel
    1721s
  • max time network
    1787s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-11-2020 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trick.dll

  • Size

    272KB

  • MD5

    5f7b5a98f75f4aa550e4368eb6dc9733

  • SHA1

    d835a309e249f5d526529b9a28ed138b1bcfd40b

  • SHA256

    c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a

  • SHA512

    167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac

Score
10/10
trickbotrob7bankerpersistencespywaretrojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

rob7

C2

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blacklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 721 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\trick.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\trick.dll
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:524
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
          • Blacklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          PID:1280
          • C:\Windows\system32\ipconfig.exe
            ipconfig /all
            5⤵
            • Modifies service
            • Gathers network information
            PID:1908
          • C:\Windows\system32\net.exe
            net config workstation
            5⤵
              PID:1096
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 config workstation
                6⤵
                  PID:1444
              • C:\Windows\system32\net.exe
                net view /all
                5⤵
                • Discovers systems in the same network
                PID:1104
              • C:\Windows\system32\net.exe
                net view /all /domain
                5⤵
                • Discovers systems in the same network
                PID:1932
              • C:\Windows\system32\nltest.exe
                nltest /domain_trusts
                5⤵
                  PID:1524
                • C:\Windows\system32\nltest.exe
                  nltest /domain_trusts /all_trusts
                  5⤵
                    PID:1352

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Command-Line Interface

          1
          T1059

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Remote System Discovery

          1
          T1018

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/524-103-0x0000000000230000-0x0000000000230013-memory.dmp
            Filesize

            19B

            Download
          • memory/524-5-0x0000000000000000-mapping.dmp
            Download
          • memory/524-18-0x0000000000230000-0x0000000000230013-memory.dmp
            Filesize

            19B

            Download
          • memory/524-17-0x0000000000240000-0x0000000000241000-memory.dmp
            Filesize

            4KB

            Download
          • memory/884-0-0x0000000000000000-mapping.dmp
            Download
          • memory/884-1-0x0000000000220000-0x000000000025A000-memory.dmp
            Filesize

            232KB

            Download
          • memory/884-2-0x0000000000260000-0x0000000000298000-memory.dmp
            Filesize

            224KB

            Download
          • memory/884-3-0x0000000000540000-0x0000000000576000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1096-93-0x0000000000000000-mapping.dmp
            Download
          • memory/1104-95-0x0000000000000000-mapping.dmp
            Download
          • memory/1280-53-0x0000000000140000-0x0000000000140400-memory.dmp
            Filesize

            1024B

            Download
          • memory/1280-48-0x0000000180000000-0x0000000180016000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1280-50-0x0000000180000000-0x0000000180016000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1280-54-0x0000000000130000-0x000000000013000D-memory.dmp
            Filesize

            13B

            Download
          • memory/1280-85-0x00000000003B0000-0x00000000003B0058-memory.dmp
            Filesize

            88B

            Download
          • memory/1280-90-0x0000000000190000-0x0000000000190080-memory.dmp
            Filesize

            128B

            Download
          • memory/1280-102-0x0000000000130000-0x000000000013000D-memory.dmp
            Filesize

            13B

            Download
          • memory/1280-51-0x00000000003B0000-0x00000000003B0058-memory.dmp
            Filesize

            88B

            Download
          • memory/1280-100-0x0000000000190000-0x0000000000190080-memory.dmp
            Filesize

            128B

            Download
          • memory/1280-40-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-99-0x0000000000000000-mapping.dmp
            Download
          • memory/1444-94-0x0000000000000000-mapping.dmp
            Download
          • memory/1524-98-0x0000000000000000-mapping.dmp
            Download
          • memory/1784-4-0x0000000000000000-mapping.dmp
            Download
          • memory/1908-91-0x0000000000000000-mapping.dmp
            Download
          • memory/1932-96-0x0000000000000000-mapping.dmp
            Download