trickbot | 97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-01-2022 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ACA899FF680343889BD9E2D616F1132.exe
Size

1.2MB
MD5

4aca899ff680343889bd9e2d616f1132
SHA1

a4d7806fb256d0f7d5acd272b81387d42d5ffda6
SHA256

97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27
SHA512

b482f61f27c489a47c9fa999cf9378a4e3ba7e096c987f9568fb62f7c47c97fc2425d4f99ac056575e775f72cac61cbf505ac14f13e0ff9f3178d9edee69190a

Score

10^/10

trickbot mor1 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 3 IoCs

Processes:

Tu.comTu.comTu.com

pid process

1800 Tu.com
1196 Tu.com
604 Tu.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeTu.comTu.com

pid process

560 cmd.exe
1800 Tu.com
1196 Tu.com

pid	process
1800	Tu.com
1196	Tu.com
604	Tu.com

pid	process
560	cmd.exe
1800	Tu.com
1196	Tu.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4ACA899FF680343889BD9E2D616F1132.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ACA899FF680343889BD9E2D616F1132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ACA899FF680343889BD9E2D616F1132.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tu.com

description pid process target process

PID 1196 set thread context of 604 1196 Tu.com Tu.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

812 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1760 wermgr.exe

description	pid	process	target process
PID 1196 set thread context of 604	1196	Tu.com	Tu.com

pid	process
812	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1760	wermgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

4ACA899FF680343889BD9E2D616F1132.execmd.execmd.exeTu.comTu.comTu.com

description	pid	process	target process
PID 1688 wrote to memory of 1100	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 1100	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 1100	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 1100	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 696	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 696	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 696	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 1688 wrote to memory of 696	1688	4ACA899FF680343889BD9E2D616F1132.exe	cmd.exe
PID 696 wrote to memory of 1304	696	cmd.exe	certutil.exe
PID 696 wrote to memory of 1304	696	cmd.exe	certutil.exe
PID 696 wrote to memory of 1304	696	cmd.exe	certutil.exe
PID 696 wrote to memory of 1304	696	cmd.exe	certutil.exe
PID 696 wrote to memory of 560	696	cmd.exe	cmd.exe
PID 696 wrote to memory of 560	696	cmd.exe	cmd.exe
PID 696 wrote to memory of 560	696	cmd.exe	cmd.exe
PID 696 wrote to memory of 560	696	cmd.exe	cmd.exe
PID 560 wrote to memory of 684	560	cmd.exe	findstr.exe
PID 560 wrote to memory of 684	560	cmd.exe	findstr.exe
PID 560 wrote to memory of 684	560	cmd.exe	findstr.exe
PID 560 wrote to memory of 684	560	cmd.exe	findstr.exe
PID 560 wrote to memory of 336	560	cmd.exe	certutil.exe
PID 560 wrote to memory of 336	560	cmd.exe	certutil.exe
PID 560 wrote to memory of 336	560	cmd.exe	certutil.exe
PID 560 wrote to memory of 336	560	cmd.exe	certutil.exe
PID 560 wrote to memory of 1800	560	cmd.exe	Tu.com
PID 560 wrote to memory of 1800	560	cmd.exe	Tu.com
PID 560 wrote to memory of 1800	560	cmd.exe	Tu.com
PID 560 wrote to memory of 1800	560	cmd.exe	Tu.com
PID 560 wrote to memory of 812	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 812	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 812	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 812	560	cmd.exe	PING.EXE
PID 1800 wrote to memory of 1196	1800	Tu.com	Tu.com
PID 1800 wrote to memory of 1196	1800	Tu.com	Tu.com
PID 1800 wrote to memory of 1196	1800	Tu.com	Tu.com
PID 1800 wrote to memory of 1196	1800	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 1196 wrote to memory of 604	1196	Tu.com	Tu.com
PID 604 wrote to memory of 1016	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1016	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1016	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1016	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe
PID 604 wrote to memory of 1760	604	Tu.com	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\4ACA899FF680343889BD9E2D616F1132.exe
"C:\Users\Admin\AppData\Local\Temp\4ACA899FF680343889BD9E2D616F1132.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c izXS
2⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps
2⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\certutil.exe
certutil -decode Popolato.swf Illusione.xps
3⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm
4⤵
PID:684

C:\Windows\SysWOW64\certutil.exe
certutil -decode Turba.csv W
4⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Tu.com W
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
PID:1016

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstm
MD5
35fde30343a8651ad541e796d764a052

SHA1
66b2c2b29f3f666ed4b290e7e48650cb4b20e303

SHA256
0ece2aec545f79a310010bf1b36dad830944f8f089afee9141cd260f95c36b59

SHA512
3aa2f31d1525867ccedb7161a9647c9d275fc61f58cd31599e05ae2dda0643f3b5b7234c61f260d583a74b17eaecbceb2e3e4b6a6a386b164c9bbf1d2b9a38b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xps
MD5
2b7d94cc6c10c0bdf0a6680991672fa7

SHA1
0929b3d2134cc6abe27b32fa08eb3a80c7200cb3

SHA256
d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd

SHA512
931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Infinita.flv
MD5
c4e07c0bfe2859c8ff06a483545792e6

SHA1
1456bbcd34f0e912106a80bdffc61c5a4f6dc50f

SHA256
8cee33a6f40743340b93c2f175f4beed55f878f1e9fb00b7478ee0b1e73528df

SHA512
15d30aecdb96fd4510fec7b7d93d967bef7ad7ea1ee3094b7d80e6ce7476a1591afb32d7fb6328bee3aa8db4d36c3f118a96f1716697647cc7d6bad31a02067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swf
MD5
617289b98bf0f2b52f3b16654dc2c568

SHA1
0b59918c027484c0ad4263ccccde302eb6d656fd

SHA256
842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e

SHA512
7dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csv
MD5
5d61882d714cd3e72f6b2ca2d88a456f

SHA1
85315e2ad09edb0051062c929c7d966589ac8340

SHA256
fa783d9734141a1a55d08299f3a92e5b75645b2ad979ec005df47730f53ff50a

SHA512
9c4450a04526990455850f94bc140aafd439657f3acecaefd826cdc579e47bad91e00c64dba7ca5f8726a36195579489283bfdd6f7e9fc0ff9fd40ef88731291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
MD5
0e10494978a9abfb9c454abf2a8b48b7

SHA1
04c1c65e8f3a5b8b21beee53f87e661ee4d7f4fa

SHA256
0cb9656846770fa2f1c6c279d762e3b5a2dd68c18d972982c2ee075d6d7f62b1

SHA512
742b8a3a01ef8a3299d72e049f2f8556b7e89ec8ca71298293e52f5b9bb21cfc4d06fc083db7dc49f6df930d50121ac7f28c288c2673aef5fc95348f29d21acf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/336-63-0x0000000000000000-mapping.dmp

Download
memory/560-60-0x0000000000000000-mapping.dmp

Download
memory/604-85-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/604-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/604-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/604-86-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/684-61-0x0000000000000000-mapping.dmp

Download
memory/696-55-0x0000000000000000-mapping.dmp

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/1100-54-0x0000000000000000-mapping.dmp

Download
memory/1196-74-0x0000000000000000-mapping.dmp

Download
memory/1196-80-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1304-57-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1304-56-0x0000000000000000-mapping.dmp

Download
memory/1760-87-0x0000000000000000-mapping.dmp

Download
memory/1760-88-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/1760-89-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1800-67-0x0000000000000000-mapping.dmp

Download