Overview

overview

10

Static

static

referenceSet.jpg.dll

windows7_x64

10

referenceSet.jpg.dll

windows10_x64

10

Resubmissions

19-08-2021 14:54

210819-1m2h3hyp5a 10

16-07-2021 10:15

210716-ghza71m1ks 10

Analysis

  • max time kernel
    1786s
  • max time network
    1703s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    19-08-2021 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    referenceSet.jpg.dll

  • Size

    594KB

  • MD5

    fbbc24f5345b11b35b8f0b68c9d30caa

  • SHA1

    13a5fd90f3dbc9797a59cf924aa7c6bdc35cacdf

  • SHA256

    bcdac7b40846874f002e6f59413a381e4ae13bf7181eae60203c0ae69f799a57

  • SHA512

    6f05c0d78a7e01e8659410c513a7852709d53db36d885c3a4a32bf8e089cc7cbeab0d129cf669991c779a488ffa515ea2d0ebe49ca03e7881d36ebbc09b13faa

Score
10/10
trickbotzev1bankerspywarestealersuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • suricata: ET MALWARE Trickbot Checkin Response

    suricata: ET MALWARE Trickbot Checkin Response

    suricata
  • suricata: ET MALWARE Win32/Trickbot Data Exfiltration

    suricata: ET MALWARE Win32/Trickbot Data Exfiltration

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Program crash 1 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2764
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\referenceSet.jpg.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\SysWOW64\regsvr32.exe
        /s C:\Users\Admin\AppData\Local\Temp\referenceSet.jpg.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3888
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3748
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:740
            • C:\Windows\system32\cmd.exe
              /c ipconfig /all
              6⤵
                PID:2256
                • C:\Windows\system32\ipconfig.exe
                  ipconfig /all
                  7⤵
                  • Gathers network information
                  PID:3192
              • C:\Windows\system32\cmd.exe
                /c net config workstation
                6⤵
                  PID:588
                  • C:\Windows\system32\net.exe
                    net config workstation
                    7⤵
                      PID:3740
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 config workstation
                        8⤵
                          PID:1216
                    • C:\Windows\system32\cmd.exe
                      /c net view /all
                      6⤵
                        PID:2196
                        • C:\Windows\system32\net.exe
                          net view /all
                          7⤵
                          • Discovers systems in the same network
                          PID:3920
                      • C:\Windows\system32\cmd.exe
                        /c net view /all /domain
                        6⤵
                          PID:2688
                          • C:\Windows\system32\net.exe
                            net view /all /domain
                            7⤵
                            • Discovers systems in the same network
                            PID:3236
                        • C:\Windows\system32\cmd.exe
                          /c nltest /domain_trusts
                          6⤵
                            PID:520
                            • C:\Windows\system32\nltest.exe
                              nltest /domain_trusts
                              7⤵
                                PID:1268
                            • C:\Windows\system32\cmd.exe
                              /c nltest /domain_trusts /all_trusts
                              6⤵
                                PID:3088
                                • C:\Windows\system32\nltest.exe
                                  nltest /domain_trusts /all_trusts
                                  7⤵
                                    PID:3768
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe
                                5⤵
                                  PID:1000
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 1000 -s 328
                                    6⤵
                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                    • Program crash
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2608
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe
                                  5⤵
                                  • Blocklisted process makes network request
                                  PID:2524
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3244
                        • C:\Windows\system32\LogonUI.exe
                          "LogonUI.exe" /flags:0x0 /state0:0xa3ace855 /state1:0x41c64e6d
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:3676
                        • C:\Windows\System32\LockAppHost.exe
                          C:\Windows\System32\LockAppHost.exe -Embedding
                          1⤵
                            PID:152

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Command-Line Interface

                          1
                          T1059

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Credentials in Files

                          1
                          T1081

                          Discovery

                          Remote System Discovery

                          1
                          T1018

                          System Information Discovery

                          1
                          T1082

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/520-153-0x0000000000000000-mapping.dmp
                            Download
                          • memory/588-146-0x0000000000000000-mapping.dmp
                            Download
                          • memory/592-116-0x0000000004860000-0x0000000004897000-memory.dmp
                            Filesize

                            220KB

                            Download
                          • memory/592-118-0x0000000004680000-0x000000000488E000-memory.dmp
                            Filesize

                            2.1MB

                            Download
                          • memory/592-120-0x0000000004910000-0x0000000004911000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/592-119-0x00000000048A0000-0x00000000048E3000-memory.dmp
                            Filesize

                            268KB

                            Download
                          • memory/592-121-0x00000000048F1000-0x00000000048F3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/592-114-0x0000000000000000-mapping.dmp
                            Download
                          • memory/740-140-0x0000000000000000-mapping.dmp
                            Download
                          • memory/740-141-0x0000000180000000-0x0000000180009000-memory.dmp
                            Filesize

                            36KB

                            Download
                          • memory/1000-157-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1216-148-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1268-154-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2196-149-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2256-144-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2524-163-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2688-151-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2764-173-0x0000000000170000-0x0000000000186000-memory.dmp
                            Filesize

                            88KB

                            Download
                          • memory/2764-174-0x0000000000190000-0x00000000001AB000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/2772-123-0x00000285BA310000-0x00000285BA338000-memory.dmp
                            Filesize

                            160KB

                            Download
                          • memory/2772-122-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2772-124-0x00000285BA420000-0x00000285BA421000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/3088-155-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3192-145-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3236-152-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3244-165-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3740-147-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3748-134-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3768-156-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3888-127-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3888-133-0x0000023E9B180000-0x0000023E9B181000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/3920-150-0x0000000000000000-mapping.dmp
                            Download