Analysis
-
max time kernel
97s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 09:16
General
-
Target
a83ca01d677db702c686d6b957405458.exe
-
Size
668KB
-
MD5
a83ca01d677db702c686d6b957405458
-
SHA1
68ab5cec408fdfd586e54a3e11d00b7d8a49c8b4
-
SHA256
8c206ff3cf89ee0ddf05f2608ef0535b7a2c17710e6ccec34ec6439d417dab69
-
SHA512
474f52d06c8ce1e51a712f6972dabbdd3a96b1706c20d09cc5d76ac29061a253c6e4f79fcece97dfcdebabb8697d11fddb895c48be45280b6f9f5516cfa4f002
Malware Config
Extracted
trickbot
100009
mor9
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
-
autorunName:pwgrab
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a83ca01d677db702c686d6b957405458.exe"C:\Users\Admin\AppData\Local\Temp\a83ca01d677db702c686d6b957405458.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1560-4-0x0000000000000000-mapping.dmp
-
memory/1640-2-0x0000000001E20000-0x0000000001E60000-memory.dmpFilesize
256KB
-
memory/1640-3-0x0000000001E60000-0x0000000001E9C000-memory.dmpFilesize
240KB