Overview

overview

10

Static

static

qca.exe

windows7-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2022 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qca.exe

  • Size

    383KB

  • MD5

    b065af93b5fd551526705b5968d0ca10

  • SHA1

    e807ff55829a205941096b8edfcda6a0cdc3ccc1

  • SHA256

    28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

  • SHA512

    dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

Score
10/10
trickbotlib322bankerevasiontrojan

Malware Config

Extracted

Family

trickbot

Version

1000271

Botnet

lib322

C2

195.54.163.210:443

94.181.47.198:449

81.21.121.138:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

185.251.38.135:443

170.81.32.66:449

42.115.91.177:443

107.173.102.231:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 2 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qca.exe
    "C:\Users\Admin\AppData\Local\Temp\qca.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:288
    • C:\Users\Admin\AppData\Roaming\AMNI\rca.exe
      C:\Users\Admin\AppData\Roaming\AMNI\rca.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Impair Defenses

    1
    T1562

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\AMNI\rca.exe
      Filesize

      383KB

      MD5

      b065af93b5fd551526705b5968d0ca10

      SHA1

      e807ff55829a205941096b8edfcda6a0cdc3ccc1

      SHA256

      28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

      SHA512

      dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2591564548-2301609547-1748242483-1000\0f5007522459c86e95ffcc62f32308f1_cea0eab3-c223-4f79-bf84-9af11aecddbc
      Filesize

      1KB

      MD5

      405ffba71bce26c6e66e0c53a170e78e

      SHA1

      e6bfa53d61e2ecc8c29dfc38582778f9ad6020a3

      SHA256

      d3b152c192a482d4384acd7a4fea31b173826e35ffc71d9a0a4816df8e467996

      SHA512

      a441d805e19e28ea98a79ccce40fda4f8b08004b6b4e10da5d6d7b14f8b98da68b72458ef32001b7665946454361e343fb9880ee16e48176658fad806b522dad

      Download Submit
    • \Users\Admin\AppData\Roaming\AMNI\rca.exe
      Filesize

      383KB

      MD5

      b065af93b5fd551526705b5968d0ca10

      SHA1

      e807ff55829a205941096b8edfcda6a0cdc3ccc1

      SHA256

      28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

      SHA512

      dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

      Download Submit
    • \Users\Admin\AppData\Roaming\AMNI\rca.exe
      Filesize

      383KB

      MD5

      b065af93b5fd551526705b5968d0ca10

      SHA1

      e807ff55829a205941096b8edfcda6a0cdc3ccc1

      SHA256

      28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

      SHA512

      dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

      Download Submit
    • memory/288-83-0x0000000074480000-0x0000000074A2B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/288-82-0x0000000074480000-0x0000000074A2B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/288-65-0x0000000000000000-mapping.dmp
      Download
    • memory/788-73-0x0000000000000000-mapping.dmp
      Download
    • memory/788-75-0x0000000140000000-0x0000000140035000-memory.dmp
      Filesize

      212KB

      Download
    • memory/1204-54-0x0000000076761000-0x0000000076763000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1204-67-0x00000000003A0000-0x00000000003DD000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1252-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1280-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1376-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-70-0x0000000010000000-0x0000000010007000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1556-81-0x00000000004B0000-0x00000000004ED000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1636-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-64-0x0000000000000000-mapping.dmp
      Download