Overview

overview

10

Static

static

6120ea3fe5...10.exe

windows7_x64

10

6120ea3fe5...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe

  • Size

    428KB

  • MD5

    cd40c5aac2b062de2b52641c98268aa5

  • SHA1

    0a7e67671c522a702d853f2a75f80e4a1d799a52

  • SHA256

    6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

  • SHA512

    bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

Score
10/10
trickbotwmd38bankerdavetrojan

Malware Config

Extracted

Family

trickbot

Version

1000498

Botnet

wmd38

C2

5.182.210.226:443

82.146.62.52:443

164.68.120.56:443

185.11.146.86:443

5.2.78.70:443

185.65.202.240:443

193.26.217.243:443

81.177.180.254:443

5.34.177.40:443

185.186.77.222:443

188.227.84.209:443

185.45.193.76:443

46.229.213.27:443

88.99.112.87:443

51.254.164.240:443

45.148.120.13:443

5.2.78.77:443

64.44.51.125:443

107.172.165.149:443

45.148.120.14:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 7 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Dave packer 3 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe
    "C:\Users\Admin\AppData\Local\Temp\6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\ProgramData\ьтتدتգդᠲ.exe
      "C:\ProgramData\ьтتدتգդᠲ.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4656
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4c0 0x458
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:816

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\ьтتدتգդᠲ.exe
      Filesize

      428KB

      MD5

      cd40c5aac2b062de2b52641c98268aa5

      SHA1

      0a7e67671c522a702d853f2a75f80e4a1d799a52

      SHA256

      6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

      SHA512

      bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

      Download Submit
    • C:\ProgramData\ьтتدتգդᠲ.exe
      Filesize

      428KB

      MD5

      cd40c5aac2b062de2b52641c98268aa5

      SHA1

      0a7e67671c522a702d853f2a75f80e4a1d799a52

      SHA256

      6120ea3fe512a9a279028cfc4203687efecc92ca0c7a4fad3711b7e92930c210

      SHA512

      bff80e65d2dbda7ce7108846b9948bd0936e168722f741b397e1050fb52095b1a8eb6aa507d2149693d719d80c3ab694db451dc53da70ad7ffcc861aabeb46aa

      Download Submit
    • memory/220-142-0x0000000002CA0000-0x0000000002CD1000-memory.dmp
      Filesize

      196KB

      Download
    • memory/220-135-0x0000000000000000-mapping.dmp
      Download
    • memory/220-138-0x0000000002C30000-0x0000000002C64000-memory.dmp
      Filesize

      208KB

      Download
    • memory/220-143-0x0000000002C70000-0x0000000002CA0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/220-144-0x0000000002CA1000-0x0000000002CD1000-memory.dmp
      Filesize

      192KB

      Download
    • memory/220-146-0x0000000010001000-0x0000000010005000-memory.dmp
      Filesize

      16KB

      Download
    • memory/220-148-0x0000000002CA1000-0x0000000002CD1000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3700-134-0x0000000002D70000-0x0000000002DA1000-memory.dmp
      Filesize

      196KB

      Download
    • memory/3700-130-0x0000000002DB0000-0x0000000002DE4000-memory.dmp
      Filesize

      208KB

      Download
    • memory/4656-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4656-147-0x0000021285280000-0x00000212852A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4656-149-0x0000021285280000-0x00000212852A2000-memory.dmp
      Filesize

      136KB

      Download