Overview

overview

10

Static

static

6120ea3fe5...10.exe

windows7_x64

10

6120ea3fe5...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe

  • Size

    428KB

  • MD5

    cd40c5aac2b062de2b52641c98268aa5

  • SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

  • SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

  • SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

Score
10/10
trickbotwmd38bankerdavetrojan

Malware Config

Extracted

Family

trickbot

Version

1000498

Botnet

wmd38

C2

5.182.210.226:443

82.146.62.52:443

164.68.120.56:443

185.11.146.86:443

5.2.78.70:443

185.65.202.240:443

193.26.217.243:443

81.177.180.254:443

5.34.177.40:443

185.186.77.222:443

188.227.84.209:443

185.45.193.76:443

46.229.213.27:443

88.99.112.87:443

51.254.164.240:443

45.148.120.13:443

5.2.78.77:443

64.44.51.125:443

107.172.165.149:443

45.148.120.14:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Dave packer 3 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe
    "C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\ProgramData\ьтتدتգդᠲ.exe
      "C:\ProgramData\ьтتدتգդᠲ.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of SetWindowsHookEx
      PID:768
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1a8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ьтتدتգդᠲ.exe
    Filesize

    428KB

    MD5

    cd40c5aac2b062de2b52641c98268aa5

    SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

    SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

    SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

    Download Submit
  • C:\ProgramData\ьтتدتգդᠲ.exe
    Filesize

    428KB

    MD5

    cd40c5aac2b062de2b52641c98268aa5

    SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

    SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

    SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

    Download Submit
  • \ProgramData\ьтتدتգդᠲ.exe
    Filesize

    428KB

    MD5

    cd40c5aac2b062de2b52641c98268aa5

    SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

    SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

    SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

    Download Submit
  • \ProgramData\ьтتدتգդᠲ.exe
    Filesize

    428KB

    MD5

    cd40c5aac2b062de2b52641c98268aa5

    SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

    SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

    SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

    Download Submit
  • memory/768-61-0x0000000000000000-mapping.dmp
    Download
  • memory/768-69-0x0000000002F00000-0x0000000002F31000-memory.dmp
    Filesize

    196KB

    Download
  • memory/768-64-0x0000000002EC0000-0x0000000002EF4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/768-72-0x0000000002F01000-0x0000000002F31000-memory.dmp
    Filesize

    192KB

    Download
  • memory/768-71-0x0000000001DB0000-0x0000000001DE0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1828-54-0x0000000076011000-0x0000000076013000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1828-55-0x00000000021F0000-0x0000000002224000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1828-70-0x00000000021B0000-0x00000000021E1000-memory.dmp
    Filesize

    196KB

    Download