Overview

overview

10

Static

static

f7d50ffb24...74.exe

windows7_x64

10

f7d50ffb24...74.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d50ffb24b9a7802c4657e3dd871574.exe

  • Size

    440KB

  • MD5

    f7d50ffb24b9a7802c4657e3dd871574

  • SHA1

    1d2b0641ac09a198f71e2b0e8e48351a6fca6674

  • SHA256

    0983eb624effc643a11db3a17755ec83c5db588330a89aaea612e199d77d0c43

  • SHA512

    ef5de20e5dcd89e010835758a9fc300b25ea1245d7472cb3a492b58db6cf42dbabb999df39f0e9394e0f7517b23056166ca073203e9ca5b7feba7a74057c8b9b

Score
10/10
trickbotbankerevasiontrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d50ffb24b9a7802c4657e3dd871574.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d50ffb24b9a7802c4657e3dd871574.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:368
  • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
    C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2260
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:1120
  • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
    C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1268
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
        PID:2304

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    1
    T1089

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      MD5

      f7d50ffb24b9a7802c4657e3dd871574

      SHA1

      1d2b0641ac09a198f71e2b0e8e48351a6fca6674

      SHA256

      0983eb624effc643a11db3a17755ec83c5db588330a89aaea612e199d77d0c43

      SHA512

      ef5de20e5dcd89e010835758a9fc300b25ea1245d7472cb3a492b58db6cf42dbabb999df39f0e9394e0f7517b23056166ca073203e9ca5b7feba7a74057c8b9b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      MD5

      f7d50ffb24b9a7802c4657e3dd871574

      SHA1

      1d2b0641ac09a198f71e2b0e8e48351a6fca6674

      SHA256

      0983eb624effc643a11db3a17755ec83c5db588330a89aaea612e199d77d0c43

      SHA512

      ef5de20e5dcd89e010835758a9fc300b25ea1245d7472cb3a492b58db6cf42dbabb999df39f0e9394e0f7517b23056166ca073203e9ca5b7feba7a74057c8b9b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      MD5

      f7d50ffb24b9a7802c4657e3dd871574

      SHA1

      1d2b0641ac09a198f71e2b0e8e48351a6fca6674

      SHA256

      0983eb624effc643a11db3a17755ec83c5db588330a89aaea612e199d77d0c43

      SHA512

      ef5de20e5dcd89e010835758a9fc300b25ea1245d7472cb3a492b58db6cf42dbabb999df39f0e9394e0f7517b23056166ca073203e9ca5b7feba7a74057c8b9b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TeamViewer\f8d60ffb24b9a8902c4768e3dd981684.exe
      MD5

      f7d50ffb24b9a7802c4657e3dd871574

      SHA1

      1d2b0641ac09a198f71e2b0e8e48351a6fca6674

      SHA256

      0983eb624effc643a11db3a17755ec83c5db588330a89aaea612e199d77d0c43

      SHA512

      ef5de20e5dcd89e010835758a9fc300b25ea1245d7472cb3a492b58db6cf42dbabb999df39f0e9394e0f7517b23056166ca073203e9ca5b7feba7a74057c8b9b

      Download Submit
    • memory/368-127-0x0000000140016000-0x000000014001D000-memory.dmp
      Filesize

      28KB

      Download
    • memory/368-129-0x0000000140020000-0x0000000140021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/368-132-0x000002193A230000-0x000002193A231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/368-128-0x000000014001E000-0x0000000140020000-memory.dmp
      Filesize

      8KB

      Download
    • memory/368-130-0x0000000140021000-0x0000000140022000-memory.dmp
      Filesize

      4KB

      Download
    • memory/368-124-0x0000000000000000-mapping.dmp
      Download
    • memory/368-125-0x0000000140000000-0x0000000140001000-memory.dmp
      Filesize

      4KB

      Download
    • memory/368-126-0x0000000140001000-0x0000000140016000-memory.dmp
      Filesize

      84KB

      Download
    • memory/1120-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1268-158-0x0000000000560000-0x0000000000561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2260-145-0x00000000004D0000-0x000000000061A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2304-151-0x0000000000000000-mapping.dmp
      Download
    • memory/3584-119-0x0000000003050000-0x00000000030E3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3584-118-0x0000000002330000-0x0000000002333000-memory.dmp
      Filesize

      12KB

      Download
    • memory/4048-121-0x0000000010001000-0x0000000010004000-memory.dmp
      Filesize

      12KB

      Download
    • memory/4048-122-0x0000000010004000-0x0000000010005000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-123-0x0000000010006000-0x0000000010007000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-120-0x0000000010000000-0x0000000010001000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-131-0x0000000002160000-0x0000000002161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-115-0x0000000000000000-mapping.dmp
      Download