Analysis

  • max time kernel
    170s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 16:36

General

  • Target

    1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe

  • Size

    304KB

  • MD5

    5919aabbf2a93c1f1c2f492a8dac755e

  • SHA1

    02bdabad186f703bb73ad3f79d018996fdea9d71

  • SHA256

    1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

  • SHA512

    427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Malware Config

Extracted

Family

trickbot

Version

1000201

Botnet

ser0529

C2

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

103.228.142.14:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

208.75.117.70:449

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

82.146.59.174:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
    "C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
      "C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
        C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4136
        • C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
          C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Adds Run key to start application
            PID:2508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

    Filesize

    304KB

    MD5

    5919aabbf2a93c1f1c2f492a8dac755e

    SHA1

    02bdabad186f703bb73ad3f79d018996fdea9d71

    SHA256

    1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

    SHA512

    427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

  • C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

    Filesize

    304KB

    MD5

    5919aabbf2a93c1f1c2f492a8dac755e

    SHA1

    02bdabad186f703bb73ad3f79d018996fdea9d71

    SHA256

    1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

    SHA512

    427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

  • C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

    Filesize

    304KB

    MD5

    5919aabbf2a93c1f1c2f492a8dac755e

    SHA1

    02bdabad186f703bb73ad3f79d018996fdea9d71

    SHA256

    1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

    SHA512

    427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

  • memory/2508-150-0x0000000140000000-0x0000000140023000-memory.dmp

    Filesize

    140KB

  • memory/4112-139-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4112-133-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4780-144-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

  • memory/4780-148-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4780-156-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB