Overview

overview

10

Static

static

ee41d0d585...84.exe

windows7-x64

10

ee41d0d585...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe

  • Size

    232KB

  • MD5

    fe0bf3c6a4d6c72a25690a967fdd0982

  • SHA1

    19ed1b012e2b965e4832b6a83f01da3f8dbce379

  • SHA256

    ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

  • SHA512

    1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

Score
10/10
trickbotbankerevasiontrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 3 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe
    "C:\Users\Admin\AppData\Local\Temp\ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:240
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:948
    • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1976

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Impair Defenses

    1
    T1562

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-335065374-4263250628-1829373619-1000\0f5007522459c86e95ffcc62f32308f1_0e48fa26-0403-4155-8666-47cf3ae5a0ae
      Filesize

      1KB

      MD5

      0f1c34ee394687a7ff4a029f495e34b4

      SHA1

      0bbca3c6bd61f98562a4cfeacd55b6f04d011586

      SHA256

      5decc7585455fe413f18583e11b4f7b8e0f58b906df4ceec0f940949c4abe7bf

      SHA512

      fc8963cd20e6e1cce25b88820fb2dc3e68be8924d063ead7b2a55123dfa4ed001341c61d71ee285612e5a5a3cbc7682dd17c52aaa96b5b94d8a2e54d180c0596

      Download Submit
    • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      Filesize

      232KB

      MD5

      fe0bf3c6a4d6c72a25690a967fdd0982

      SHA1

      19ed1b012e2b965e4832b6a83f01da3f8dbce379

      SHA256

      ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

      SHA512

      1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

      Download Submit
    • \Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      Filesize

      232KB

      MD5

      fe0bf3c6a4d6c72a25690a967fdd0982

      SHA1

      19ed1b012e2b965e4832b6a83f01da3f8dbce379

      SHA256

      ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

      SHA512

      1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

      Download Submit
    • \Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      Filesize

      232KB

      MD5

      fe0bf3c6a4d6c72a25690a967fdd0982

      SHA1

      19ed1b012e2b965e4832b6a83f01da3f8dbce379

      SHA256

      ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

      SHA512

      1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

      Download Submit
    • memory/240-66-0x0000000000000000-mapping.dmp
      Download
    • memory/276-56-0x0000000000000000-mapping.dmp
      Download
    • memory/948-64-0x0000000000000000-mapping.dmp
      Download
    • memory/948-82-0x0000000073D20000-0x00000000742CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/948-81-0x0000000073D20000-0x00000000742CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1132-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-80-0x00000000002B0000-0x00000000002D9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1556-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-71-0x0000000010000000-0x0000000010007000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1648-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1748-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-55-0x0000000000450000-0x0000000000479000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1968-54-0x0000000075891000-0x0000000075893000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1968-63-0x0000000000450000-0x0000000000479000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1976-76-0x0000000010000000-0x000000001001F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1976-74-0x0000000000000000-mapping.dmp
      Download