trickbot | dfbf77195c1011a196e0595a0511e2b6beb4b3f87c8a7fd8ec2a12c0e9812afb

Analysis

max time kernel
101s
max time network
103s
platform
windows7_x64
resource
win7v20201028
submitted
21-12-2020 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kpsiwn.exe
Size

341KB
MD5

4103d97c7cad79f050901aace0d9fbe0
SHA1

dead0bd2345e9769b5545f4ff628e5c59fb5ef9e
SHA256

e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00
SHA512

390513fba9908a4f84a2f49174d573f8c0c45d9aa17ed5fb0300fe4f1eb85873eda4ed221f82d36ed629a06d0b1edd3983c10a5904949eae7d237753ab77ec57

Score

10^/10

trickbot mor1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100007

Botnet

mor1

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
Drops file in Windows directory 1 IoCs

Processes:

kpsiwn.exe

description ioc process

File opened for modification C:\Windows\explorer.exe kpsiwn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1388 wermgr.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org

description	ioc	process
File opened for modification	C:\Windows\explorer.exe	kpsiwn.exe

description	pid	process
Token: SeDebugPrivilege	1388	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

kpsiwn.exe

description	pid	process	target process
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe
PID 1684 wrote to memory of 1388	1684	kpsiwn.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe
"C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-4-0x0000000000000000-mapping.dmp

Download
memory/1684-2-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/1684-3-0x00000000004D0000-0x000000000050B000-memory.dmp

Filesize
236KB

Download