Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-08-2022 22:10
Static task
static1
General
-
Target
qca.exe
-
Size
383KB
-
MD5
b065af93b5fd551526705b5968d0ca10
-
SHA1
e807ff55829a205941096b8edfcda6a0cdc3ccc1
-
SHA256
28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
-
SHA512
dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4
Malware Config
Extracted
trickbot
1000271
lib322
195.54.163.210:443
94.181.47.198:449
81.21.121.138:449
23.94.41.215:443
181.113.17.230:449
212.23.70.149:443
185.251.38.135:443
170.81.32.66:449
42.115.91.177:443
107.173.102.231:443
121.58.242.206:449
167.114.13.91:443
192.252.209.44:443
182.50.64.148:449
187.190.249.230:443
107.175.127.147:443
82.222.40.119:449
198.100.157.163:443
23.226.138.169:443
103.110.91.118:449
31.179.162.86:443
128.201.92.41:449
70.48.101.54:443
103.111.53.126:449
105.27.171.234:449
182.253.20.66:449
71.13.140.89:443
179.127.254.196:443
169.1.39.89:443
46.149.182.112:449
81.17.86.112:443
62.141.94.107:443
115.78.3.170:443
197.232.50.85:449
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
116.212.152.12:449
68.109.83.22:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1204-67-0x00000000003A0000-0x00000000003DD000-memory.dmp trickbot_loader32 behavioral1/memory/1556-81-0x00000000004B0000-0x00000000004ED000-memory.dmp trickbot_loader32 -
Executes dropped EXE 1 IoCs
Processes:
rca.exepid process 1556 rca.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
qca.exepid process 1204 qca.exe 1204 qca.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1376 sc.exe 1704 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
qca.exepowershell.exepid process 1204 qca.exe 1204 qca.exe 1204 qca.exe 288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 288 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
qca.execmd.execmd.execmd.exerca.exedescription pid process target process PID 1204 wrote to memory of 1280 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1280 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1280 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1280 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1252 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1252 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1252 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1252 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1636 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1636 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1636 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1636 1204 qca.exe cmd.exe PID 1204 wrote to memory of 1556 1204 qca.exe rca.exe PID 1204 wrote to memory of 1556 1204 qca.exe rca.exe PID 1204 wrote to memory of 1556 1204 qca.exe rca.exe PID 1204 wrote to memory of 1556 1204 qca.exe rca.exe PID 1252 wrote to memory of 1376 1252 cmd.exe sc.exe PID 1252 wrote to memory of 1376 1252 cmd.exe sc.exe PID 1252 wrote to memory of 1376 1252 cmd.exe sc.exe PID 1252 wrote to memory of 1376 1252 cmd.exe sc.exe PID 1280 wrote to memory of 1704 1280 cmd.exe sc.exe PID 1280 wrote to memory of 1704 1280 cmd.exe sc.exe PID 1280 wrote to memory of 1704 1280 cmd.exe sc.exe PID 1280 wrote to memory of 1704 1280 cmd.exe sc.exe PID 1636 wrote to memory of 288 1636 cmd.exe powershell.exe PID 1636 wrote to memory of 288 1636 cmd.exe powershell.exe PID 1636 wrote to memory of 288 1636 cmd.exe powershell.exe PID 1636 wrote to memory of 288 1636 cmd.exe powershell.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe PID 1556 wrote to memory of 788 1556 rca.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qca.exe"C:\Users\Admin\AppData\Local\Temp\qca.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\AMNI\rca.exeC:\Users\Admin\AppData\Roaming\AMNI\rca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AMNI\rca.exeFilesize
383KB
MD5b065af93b5fd551526705b5968d0ca10
SHA1e807ff55829a205941096b8edfcda6a0cdc3ccc1
SHA25628c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
SHA512dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2591564548-2301609547-1748242483-1000\0f5007522459c86e95ffcc62f32308f1_cea0eab3-c223-4f79-bf84-9af11aecddbcFilesize
1KB
MD5405ffba71bce26c6e66e0c53a170e78e
SHA1e6bfa53d61e2ecc8c29dfc38582778f9ad6020a3
SHA256d3b152c192a482d4384acd7a4fea31b173826e35ffc71d9a0a4816df8e467996
SHA512a441d805e19e28ea98a79ccce40fda4f8b08004b6b4e10da5d6d7b14f8b98da68b72458ef32001b7665946454361e343fb9880ee16e48176658fad806b522dad
-
\Users\Admin\AppData\Roaming\AMNI\rca.exeFilesize
383KB
MD5b065af93b5fd551526705b5968d0ca10
SHA1e807ff55829a205941096b8edfcda6a0cdc3ccc1
SHA25628c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
SHA512dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4
-
\Users\Admin\AppData\Roaming\AMNI\rca.exeFilesize
383KB
MD5b065af93b5fd551526705b5968d0ca10
SHA1e807ff55829a205941096b8edfcda6a0cdc3ccc1
SHA25628c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
SHA512dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4
-
memory/288-83-0x0000000074480000-0x0000000074A2B000-memory.dmpFilesize
5.7MB
-
memory/288-82-0x0000000074480000-0x0000000074A2B000-memory.dmpFilesize
5.7MB
-
memory/288-65-0x0000000000000000-mapping.dmp
-
memory/788-73-0x0000000000000000-mapping.dmp
-
memory/788-75-0x0000000140000000-0x0000000140035000-memory.dmpFilesize
212KB
-
memory/1204-54-0x0000000076761000-0x0000000076763000-memory.dmpFilesize
8KB
-
memory/1204-67-0x00000000003A0000-0x00000000003DD000-memory.dmpFilesize
244KB
-
memory/1252-56-0x0000000000000000-mapping.dmp
-
memory/1280-55-0x0000000000000000-mapping.dmp
-
memory/1376-62-0x0000000000000000-mapping.dmp
-
memory/1556-60-0x0000000000000000-mapping.dmp
-
memory/1556-70-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/1556-81-0x00000000004B0000-0x00000000004ED000-memory.dmpFilesize
244KB
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1704-64-0x0000000000000000-mapping.dmp