trickbot | bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4

General

Target

bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe
Size

600KB
MD5

9505b9103683330e861ce6ed0ece0270
SHA1

eefc9ac38568e0fa48c9d2db1ef352bd7918be7f
SHA256

bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4
SHA512

cdbe548243055cfa5060f2734dd7066ca466ff1a5cf95350af85994d10804fc3385101762c3d08f9a999a5c352c86b1b0494da702b068204cc2214caf69c7696

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 11 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3676-133-0x0000000003980000-0x00000000039AB000-memory.dmp	trickbot_loader32
behavioral2/memory/1444-145-0x0000000000400000-0x0000000000498000-memory.dmp	trickbot_loader32
behavioral2/memory/1444-146-0x0000000003740000-0x000000000376B000-memory.dmp	trickbot_loader32
behavioral2/memory/3676-149-0x0000000000400000-0x0000000000498000-memory.dmp	trickbot_loader32
behavioral2/memory/3676-150-0x0000000003980000-0x00000000039AB000-memory.dmp	trickbot_loader32
behavioral2/memory/1444-161-0x0000000000400000-0x0000000000498000-memory.dmp	trickbot_loader32
behavioral2/memory/1444-162-0x0000000003740000-0x000000000376B000-memory.dmp	trickbot_loader32
behavioral2/memory/4784-166-0x0000000000400000-0x0000000000498000-memory.dmp	trickbot_loader32
behavioral2/memory/4784-167-0x00000000022D0000-0x00000000022FB000-memory.dmp	trickbot_loader32
behavioral2/memory/4784-188-0x0000000000400000-0x0000000000498000-memory.dmp	trickbot_loader32
behavioral2/memory/4784-189-0x00000000022D0000-0x00000000022FB000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

pid	process
1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\EMP.DAT	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

420 powershell.exe
420 powershell.exe
5052 powershell.exe
5052 powershell.exe
4092 powershell.exe
4092 powershell.exe

pid	process
420	powershell.exe
420	powershell.exe
5052	powershell.exe
5052	powershell.exe
4092	powershell.exe
4092	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

description	pid	process
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeTcbPrivilege	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.execmd.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.execmd.exebbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.execmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 4484	3676	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe	cmd.exe
PID 3676 wrote to memory of 4484	3676	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe	cmd.exe
PID 4484 wrote to memory of 420	4484	cmd.exe	powershell.exe
PID 4484 wrote to memory of 420	4484	cmd.exe	powershell.exe
PID 3676 wrote to memory of 1444	3676	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
PID 3676 wrote to memory of 1444	3676	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
PID 3676 wrote to memory of 1444	3676	bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
PID 1444 wrote to memory of 552	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	cmd.exe
PID 1444 wrote to memory of 552	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	cmd.exe
PID 552 wrote to memory of 5052	552	cmd.exe	powershell.exe
PID 552 wrote to memory of 5052	552	cmd.exe	powershell.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 1444 wrote to memory of 3284	1444	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2840	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	cmd.exe
PID 4784 wrote to memory of 2840	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	cmd.exe
PID 2840 wrote to memory of 4092	2840	cmd.exe	powershell.exe
PID 2840 wrote to memory of 4092	2840	cmd.exe	powershell.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe
PID 4784 wrote to memory of 2412	4784	bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe
"C:\Users\Admin\AppData\Local\Temp\bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3284

C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660308776-3705150086-26593515-1000\0f5007522459c86e95ffcc62f32308f1_b975079f-5511-47c1-a87a-f7cd913ae83c
Filesize
1KB

MD5
475b7ab143aa10aed94878f8eea31f12

SHA1
fa1d6d95f72a4c2550e8305f4b241b8a9c6aa351

SHA256
b6c38bd9e0c7295bd209b97a877c0135fbd8d2d18a6953e143db302b30dc49a2

SHA512
28f74ddd2fb88eb120975a5c6b29a3d4f2ae2820a285b8c0e260a84c3bb35f77cccb1da9f3071a49b7b4137a1f786db05b19fd966bcf3306b18799ed6ae5e50c

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Filesize
600KB

MD5
9505b9103683330e861ce6ed0ece0270

SHA1
eefc9ac38568e0fa48c9d2db1ef352bd7918be7f

SHA256
bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4

SHA512
cdbe548243055cfa5060f2734dd7066ca466ff1a5cf95350af85994d10804fc3385101762c3d08f9a999a5c352c86b1b0494da702b068204cc2214caf69c7696

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Filesize
600KB

MD5
9505b9103683330e861ce6ed0ece0270

SHA1
eefc9ac38568e0fa48c9d2db1ef352bd7918be7f

SHA256
bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4

SHA512
cdbe548243055cfa5060f2734dd7066ca466ff1a5cf95350af85994d10804fc3385101762c3d08f9a999a5c352c86b1b0494da702b068204cc2214caf69c7696

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\bbd0ca9819965ce539ece8159ceb665202df9850f59c92c2d820d3baa08718f5.exe
Filesize
600KB

MD5
9505b9103683330e861ce6ed0ece0270

SHA1
eefc9ac38568e0fa48c9d2db1ef352bd7918be7f

SHA256
bbd0ca9719854ce438ece7149ceb554202df8740f48c82c2d720d3baa07617f4

SHA512
cdbe548243055cfa5060f2734dd7066ca466ff1a5cf95350af85994d10804fc3385101762c3d08f9a999a5c352c86b1b0494da702b068204cc2214caf69c7696

Download Submit
memory/420-136-0x00007FFAF27D0000-0x00007FFAF3291000-memory.dmp

Filesize
10.8MB

Download
memory/420-132-0x0000000000000000-mapping.dmp

Download
memory/420-135-0x00007FFAF27D0000-0x00007FFAF3291000-memory.dmp

Filesize
10.8MB

Download
memory/420-134-0x000001FB47C10000-0x000001FB47C32000-memory.dmp

Filesize
136KB

Download
memory/552-140-0x0000000000000000-mapping.dmp

Download
memory/1444-152-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1444-137-0x0000000000000000-mapping.dmp

Download
memory/1444-145-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1444-146-0x0000000003740000-0x000000000376B000-memory.dmp

Filesize
172KB

Download
memory/1444-162-0x0000000003740000-0x000000000376B000-memory.dmp

Filesize
172KB

Download
memory/1444-161-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2412-182-0x0000000000000000-mapping.dmp

Download
memory/2840-164-0x0000000000000000-mapping.dmp

Download
memory/3284-155-0x0000000000000000-mapping.dmp

Download
memory/3284-157-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3676-133-0x0000000003980000-0x00000000039AB000-memory.dmp

Filesize
172KB

Download
memory/3676-149-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3676-130-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3676-150-0x0000000003980000-0x00000000039AB000-memory.dmp

Filesize
172KB

Download
memory/4092-175-0x00000158E16B0000-0x00000158E16B6000-memory.dmp

Filesize
24KB

Download
memory/4092-174-0x00000158E1680000-0x00000158E1688000-memory.dmp

Filesize
32KB

Download
memory/4092-165-0x0000000000000000-mapping.dmp

Download
memory/4092-177-0x00007FFAF1B90000-0x00007FFAF2651000-memory.dmp

Filesize
10.8MB

Download
memory/4092-176-0x00000158E16C0000-0x00000158E16CA000-memory.dmp

Filesize
40KB

Download
memory/4092-168-0x00007FFAF1B90000-0x00007FFAF2651000-memory.dmp

Filesize
10.8MB

Download
memory/4092-169-0x00000158E1450000-0x00000158E146C000-memory.dmp

Filesize
112KB

Download
memory/4092-170-0x00000158E1240000-0x00000158E124A000-memory.dmp

Filesize
40KB

Download
memory/4092-171-0x00000158E1690000-0x00000158E16AC000-memory.dmp

Filesize
112KB

Download
memory/4092-172-0x00000158E1670000-0x00000158E167A000-memory.dmp

Filesize
40KB

Download
memory/4092-173-0x00000158E16D0000-0x00000158E16EA000-memory.dmp

Filesize
104KB

Download
memory/4484-131-0x0000000000000000-mapping.dmp

Download
memory/4784-167-0x00000000022D0000-0x00000000022FB000-memory.dmp

Filesize
172KB

Download
memory/4784-166-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4784-188-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4784-189-0x00000000022D0000-0x00000000022FB000-memory.dmp

Filesize
172KB

Download
memory/5052-148-0x00007FFAF2370000-0x00007FFAF2E31000-memory.dmp

Filesize
10.8MB

Download
memory/5052-142-0x0000000000000000-mapping.dmp

Download
memory/5052-147-0x00007FFAF2370000-0x00007FFAF2E31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads