Resubmissions

25-02-2021 19:33

210225-ckt8nv3sn2 10

25-02-2021 19:29

210225-3e1s9c98dn 10

11-02-2021 15:28

210211-8grt4rpew2 10

11-02-2021 08:01

210211-4q732bhs9s 10

Analysis

  • max time kernel
    1727s
  • max time network
    1729s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-02-2021 15:28

General

  • Target

    4c765049f292cb94f47f91dbe243d4b2.exe

  • Size

    912KB

  • MD5

    4c765049f292cb94f47f91dbe243d4b2

  • SHA1

    610911bf779ba590ad382be6f8ed799171d12f50

  • SHA256

    91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

  • SHA512

    d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      "C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:1516
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:1752
            • C:\Windows\system32\ipconfig.exe
              ipconfig /all
              5⤵
              • Gathers network information
              PID:1516
            • C:\Windows\system32\net.exe
              net config workstation
              5⤵
                PID:900
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 config workstation
                  6⤵
                    PID:944
                • C:\Windows\system32\net.exe
                  net view /all
                  5⤵
                  • Discovers systems in the same network
                  PID:1132
                • C:\Windows\system32\net.exe
                  net view /all /domain
                  5⤵
                  • Discovers systems in the same network
                  PID:1832
                • C:\Windows\system32\nltest.exe
                  nltest /domain_trusts
                  5⤵
                    PID:2008
                  • C:\Windows\system32\nltest.exe
                    nltest /domain_trusts /all_trusts
                    5⤵
                      PID:1436
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe
                    4⤵
                    • Blocklisted process makes network request
                    PID:1888

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/620-20-0x0000000000060000-0x0000000000061000-memory.dmp

              Filesize

              4KB

            • memory/1224-16-0x0000000000060000-0x0000000000087000-memory.dmp

              Filesize

              156KB

            • memory/1224-17-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/1672-14-0x0000000010001000-0x0000000010003000-memory.dmp

              Filesize

              8KB

            • memory/1672-13-0x0000000000650000-0x0000000000651000-memory.dmp

              Filesize

              4KB

            • memory/1672-11-0x0000000002100000-0x0000000002138000-memory.dmp

              Filesize

              224KB

            • memory/1812-4-0x0000000003070000-0x00000000030A6000-memory.dmp

              Filesize

              216KB

            • memory/1812-2-0x0000000075781000-0x0000000075783000-memory.dmp

              Filesize

              8KB

            • memory/1812-3-0x00000000030B0000-0x00000000030E8000-memory.dmp

              Filesize

              224KB