Analysis

  • max time kernel
    283s
  • max time network
    293s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-06-2022 13:51

General

  • Target

    81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77.exe

  • Size

    432KB

  • MD5

    7773c8164949a42936c4d1374cf16284

  • SHA1

    9e92535dc7bcdd7bf677a643f90ee730784edfc6

  • SHA256

    81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

  • SHA512

    8569116004d7b7154fced5a1a6f9d6ed111cae4cf71a68942fc0b978f5fb42db5b595c059fa77bd787cb923c99894dfc07accbc201c38caa02e3f2a235a9d61c

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

yas45

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Dave packer 2 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

  • Drops file in System32 directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77.exe
    "C:\Users\Admin\AppData\Local\Temp\81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1832-139-0x0000011CDA0D0000-0x0000011CDA0F4000-memory.dmp

    Filesize

    144KB

  • memory/1832-140-0x0000011CDA0D0000-0x0000011CDA0F4000-memory.dmp

    Filesize

    144KB

  • memory/4688-130-0x0000000002530000-0x0000000002567000-memory.dmp

    Filesize

    220KB

  • memory/4688-134-0x00000000025B0000-0x00000000025E3000-memory.dmp

    Filesize

    204KB

  • memory/4688-135-0x00000000022B0000-0x00000000022E4000-memory.dmp

    Filesize

    208KB

  • memory/4688-136-0x0000000002570000-0x00000000025A3000-memory.dmp

    Filesize

    204KB

  • memory/4688-137-0x00000000025B1000-0x00000000025E3000-memory.dmp

    Filesize

    200KB

  • memory/4688-141-0x00000000025B1000-0x00000000025E3000-memory.dmp

    Filesize

    200KB