Overview

overview

10

Static

static

ee41d0d585...84.exe

windows7-x64

10

ee41d0d585...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe

  • Size

    232KB

  • MD5

    fe0bf3c6a4d6c72a25690a967fdd0982

  • SHA1

    19ed1b012e2b965e4832b6a83f01da3f8dbce379

  • SHA256

    ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

  • SHA512

    1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

Score
10/10
trickbotbankertrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe
    "C:\Users\Admin\AppData\Local\Temp\ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4984
    • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3712
      • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:3232

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a020844361f803a0b2574981e4161001_bfe458be-6a47-4012-a9d0-2c4333e0df83
          Filesize

          1KB

          MD5

          5273fbb78064bd9083ceb8c79379c99f

          SHA1

          0c7a9ce27e7b34176e92ac789d62b95600b5f87b

          SHA256

          381d9cb7bf226c98a691eac5e0d7de034bbd7b15f8ced8f43d34f9ce11202400

          SHA512

          8258510798815aabb2819d48cb148074eda4b93f3af519323e485bc9f23b919c62e2def31ad1539791f2d0f206df017f17fc676682df84db7e9c421731d9f7ec

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3463845317-933582289-45817732-1000\0f5007522459c86e95ffcc62f32308f1_bfe458be-6a47-4012-a9d0-2c4333e0df83
          Filesize

          1KB

          MD5

          8218fa9ecdfe947c367d8ae9e1583873

          SHA1

          f491158d0f5b1b2180c4f3a71f148eff7fb16a25

          SHA256

          5435cb9c9f0789ff17775ec38b661e647df06f1b8a601e289b37818d5ff24709

          SHA512

          5b5e570dcff720e7b443cf08d3cc992a09ac350b94cbd164a22fc97a053c96994bf2f951dc7b29ffda4a139285c2b4be852cd46b38357d847ebc9c6db02e9e90

          Download Submit
        • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
          Filesize

          232KB

          MD5

          fe0bf3c6a4d6c72a25690a967fdd0982

          SHA1

          19ed1b012e2b965e4832b6a83f01da3f8dbce379

          SHA256

          ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

          SHA512

          1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
          Filesize

          232KB

          MD5

          fe0bf3c6a4d6c72a25690a967fdd0982

          SHA1

          19ed1b012e2b965e4832b6a83f01da3f8dbce379

          SHA256

          ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

          SHA512

          1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
          Filesize

          232KB

          MD5

          fe0bf3c6a4d6c72a25690a967fdd0982

          SHA1

          19ed1b012e2b965e4832b6a83f01da3f8dbce379

          SHA256

          ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

          SHA512

          1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\WinSocket\ee41d0d69692efe1cb10c93b6b390277f70f9df4f49311943019cea1890dcd94.exe
          Filesize

          232KB

          MD5

          fe0bf3c6a4d6c72a25690a967fdd0982

          SHA1

          19ed1b012e2b965e4832b6a83f01da3f8dbce379

          SHA256

          ee41d0d58592efe1cb10c83b5b380266f60f9df4f49311943019cea1780dcd84

          SHA512

          1992eba8780a95aca116f90b329adf7b9f688aedbfad9dc2b511eb71ef3dd59580234b6cf1967736b5bef0bfdf0e5a384cc137797b82baff3d37f3de9a4bce4d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
          Filesize

          52KB

          MD5

          1413d98c5fb5bd84a10c9aee76c2aa61

          SHA1

          dc41b6cc29ac60d7318ec3d4f02ef7cd731456e7

          SHA256

          215fee73aadbe55318e78891bb561797905f79c31ecb4fbc5c9c2cd73a6a00ed

          SHA512

          4dcb58a73bedf63f8884a0319eb9b57c8e5b1ee169e8b601f0b98de74f6fe7ebfab895cd3f8d4e718e0bfaf6fafb43a8863a80cf91ae869c8df5cb3c727f5b2d

          Download Submit
        • memory/2132-174-0x0000000000180000-0x00000000001A9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3232-168-0x0000000000000000-mapping.dmp
          Download
        • memory/3712-155-0x0000000000000000-mapping.dmp
          Download
        • memory/4468-136-0x0000000000690000-0x00000000006B9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/4468-132-0x0000000000690000-0x00000000006B9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/4960-148-0x00000000007B0000-0x00000000007D9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/4960-139-0x0000000010000000-0x0000000010007000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4960-133-0x0000000000000000-mapping.dmp
          Download
        • memory/4984-144-0x0000000010000000-0x000000001001F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/4984-142-0x0000000000000000-mapping.dmp
          Download
        • memory/4996-150-0x0000000000F10000-0x0000000000F39000-memory.dmp
          Filesize

          164KB

          Download
        • memory/4996-161-0x0000000000F10000-0x0000000000F39000-memory.dmp
          Filesize

          164KB

          Download