Overview

overview

10

Static

static

30 mins

windows7_x64

10

30 mins Win10

windows10_x64

10

Resubmissions

25-02-2021 19:33

210225-ckt8nv3sn2 10

25-02-2021 19:29

210225-3e1s9c98dn 10

11-02-2021 15:28

210211-8grt4rpew2 10

11-02-2021 08:01

210211-4q732bhs9s 10

Analysis

  • max time kernel
    1631s
  • max time network
    1698s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-02-2021 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c765049f292cb94f47f91dbe243d4b2.exe

  • Size

    912KB

  • MD5

    4c765049f292cb94f47f91dbe243d4b2

  • SHA1

    610911bf779ba590ad382be6f8ed799171d12f50

  • SHA256

    91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

  • SHA512

    d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Score
10/10
trickbottot39bankerspywaretrojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      "C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:744
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4244
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:652
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:1040
            • C:\Windows\system32\ipconfig.exe
              ipconfig /all
              5⤵
              • Gathers network information
              PID:2124
            • C:\Windows\system32\net.exe
              net config workstation
              5⤵
                PID:4344
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 config workstation
                  6⤵
                    PID:3252
                • C:\Windows\system32\net.exe
                  net view /all
                  5⤵
                  • Discovers systems in the same network
                  PID:1800
                • C:\Windows\system32\net.exe
                  net view /all /domain
                  5⤵
                  • Discovers systems in the same network
                  PID:4396
                • C:\Windows\system32\nltest.exe
                  nltest /domain_trusts
                  5⤵
                    PID:1736
                  • C:\Windows\system32\nltest.exe
                    nltest /domain_trusts /all_trusts
                    5⤵
                      PID:4476
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe
                    4⤵
                    • Blocklisted process makes network request
                    PID:2684

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Remote System Discovery

            1
            T1018

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
              MD5

              4c765049f292cb94f47f91dbe243d4b2

              SHA1

              610911bf779ba590ad382be6f8ed799171d12f50

              SHA256

              91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

              SHA512

              d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

              Download Submit
            • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
              MD5

              4c765049f292cb94f47f91dbe243d4b2

              SHA1

              610911bf779ba590ad382be6f8ed799171d12f50

              SHA256

              91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

              SHA512

              d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
              MD5

              769ac535c4d943a7167223d44753c5e9

              SHA1

              40772ec66627604213ee3269b6b7046e27bb2ad8

              SHA256

              cc544b507572b02d34dc0cd36151d9970aac3d374feb7c2a8a06de30f48f0712

              SHA512

              5b64abff651865bd0e9764745226a963698b7f5927920dc9a902b102394b4570fc45a48041d73a792ade20293024893b24a8691d6fcd8e0a12c242d81855680b

              Download Submit
            • memory/652-15-0x0000000000000000-mapping.dmp
              Download
            • memory/652-17-0x00000209D3B60000-0x00000209D3B61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1040-18-0x0000000000000000-mapping.dmp
              Download
            • memory/1736-26-0x0000000000000000-mapping.dmp
              Download
            • memory/1800-24-0x0000000000000000-mapping.dmp
              Download
            • memory/2124-21-0x0000000000000000-mapping.dmp
              Download
            • memory/2684-28-0x0000000000000000-mapping.dmp
              Download
            • memory/2684-29-0x0000011DCA3E0000-0x0000011DCA3E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3252-23-0x0000000000000000-mapping.dmp
              Download
            • memory/3620-10-0x00000000024D0000-0x00000000024D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3620-8-0x0000000003FE0000-0x0000000004018000-memory.dmp
              Filesize

              224KB

              Download
            • memory/3620-4-0x0000000000000000-mapping.dmp
              Download
            • memory/3620-11-0x0000000010001000-0x0000000010003000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4244-12-0x0000000000000000-mapping.dmp
              Download
            • memory/4244-14-0x0000025221590000-0x0000025221591000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4244-13-0x0000025221480000-0x00000252214A7000-memory.dmp
              Filesize

              156KB

              Download
            • memory/4344-22-0x0000000000000000-mapping.dmp
              Download
            • memory/4396-25-0x0000000000000000-mapping.dmp
              Download
            • memory/4476-27-0x0000000000000000-mapping.dmp
              Download
            • memory/4704-3-0x00000000040B0000-0x00000000040E6000-memory.dmp
              Filesize

              216KB

              Download
            • memory/4704-2-0x00000000040F0000-0x0000000004128000-memory.dmp
              Filesize

              224KB

              Download