Overview

overview

10

Static

static

7f6950ade2...c8.exe

windows7_x64

10

7f6950ade2...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe

  • Size

    324KB

  • MD5

    b2dc507828839a7be9480788f3070f22

  • SHA1

    006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

  • SHA256

    7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

  • SHA512

    b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Score
10/10
trickbotred2bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000491

Botnet

red2

C2

23.94.70.12:443

5.182.210.132:443

5.2.75.137:443

172.82.152.136:443

198.23.252.117:443

194.5.250.62:443

185.14.30.176:443

195.123.245.127:443

195.54.162.179:443

184.164.137.190:443

198.46.161.213:443

64.44.51.106:443

107.172.251.159:443

85.143.220.41:443

107.172.29.108:443

107.172.208.51:443

107.181.187.221:443

190.214.13.2:449

181.140.173.186:449

181.129.104.139:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
    "C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\ProgramData\ñôâÿûâÛÔ.exe
      "C:\ProgramData\ñôâÿûâÛÔ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:5072
    • C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
      C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\ñôâÿûâÛÔ.exe
      Filesize

      324KB

      MD5

      b2dc507828839a7be9480788f3070f22

      SHA1

      006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

      SHA256

      7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

      SHA512

      b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

      Download Submit
    • C:\ProgramData\ñôâÿûâÛÔ.exe
      Filesize

      324KB

      MD5

      b2dc507828839a7be9480788f3070f22

      SHA1

      006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

      SHA256

      7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

      SHA512

      b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
      Filesize

      324KB

      MD5

      b2dc507828839a7be9480788f3070f22

      SHA1

      006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

      SHA256

      7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

      SHA512

      b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
      Filesize

      324KB

      MD5

      b2dc507828839a7be9480788f3070f22

      SHA1

      006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

      SHA256

      7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

      SHA512

      b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

      Download Submit
    • memory/2228-144-0x0000000010001000-0x0000000010005000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2228-143-0x0000000000A01000-0x0000000000A2D000-memory.dmp
      Filesize

      176KB

      Download
    • memory/3704-146-0x00000225BCAA0000-0x00000225BCAC0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3704-145-0x00000225BCAA0000-0x00000225BCAC0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3704-142-0x0000000000000000-mapping.dmp
      Download
    • memory/5072-134-0x0000000000000000-mapping.dmp
      Download
    • memory/5072-138-0x0000025D8AAE0000-0x0000025D8AB00000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5072-137-0x0000025D8AAE0000-0x0000025D8AB00000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5080-136-0x00000000009C1000-0x00000000009ED000-memory.dmp
      Filesize

      176KB

      Download
    • memory/5080-135-0x0000000000990000-0x00000000009BD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5080-130-0x0000000000000000-mapping.dmp
      Download
    • memory/5080-133-0x00000000009C0000-0x00000000009ED000-memory.dmp
      Filesize

      180KB

      Download