Overview

overview

10

Static

static

7f456f8b01...ed.exe

windows7-x64

10

7f456f8b01...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe

  • Size

    566KB

  • MD5

    f12de9a9858b332eb530c1f5cdc069aa

  • SHA1

    7f456f8b01fc8866aeed4678a14479b6eaa62fed

  • SHA256

    70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72

  • SHA512

    6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca

  • SSDEEP

    6144:vDbbqDfFxoi9qL0W4Rl/EagUzdxcXxcEMcCYjYdjVOQnbok9P4atXkisULOWn20n:veDfYatZlthsWEsVV5lUisULO/ZxxG

Score
10/10
trickbotser0724bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000235

Botnet

ser0724

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

198.53.63.120:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

24.231.0.139:443

84.237.228.13:443

138.34.32.19:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 3 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe
    "C:\Users\Admin\AppData\Local\Temp\7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe
      "C:\Users\Admin\AppData\Local\Temp\7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
        C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
          C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Adds Run key to start application
            PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2971393436-602173351-1645505021-1000\0f5007522459c86e95ffcc62f32308f1_957af1f1-6875-4c40-9804-a0dcc430f453
    Filesize

    1KB

    MD5

    f2dfaaf6a9cdf05417590a9e39dfd328

    SHA1

    37a5d16a8e962579615b75a1f1ea3850ea12bbf4

    SHA256

    a30f9fd7a9b47681c93a2da1187a64f3473d8a84cce6c50c9f4f2d4c4ac6c3e2

    SHA512

    0115cb134e16decc1ae5937b014ae200dd36ca51c32f4096fe2baf3cb5def843e4441f828b8414b63feddb9446b0731ede128eb0c37830ef522d003470da3368

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
    Filesize

    566KB

    MD5

    f12de9a9858b332eb530c1f5cdc069aa

    SHA1

    7f456f8b01fc8866aeed4678a14479b6eaa62fed

    SHA256

    70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72

    SHA512

    6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
    Filesize

    566KB

    MD5

    f12de9a9858b332eb530c1f5cdc069aa

    SHA1

    7f456f8b01fc8866aeed4678a14479b6eaa62fed

    SHA256

    70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72

    SHA512

    6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msglob\8f467f9b01fc9977aeed4789a14489b7eaa72fed.exe
    Filesize

    566KB

    MD5

    f12de9a9858b332eb530c1f5cdc069aa

    SHA1

    7f456f8b01fc8866aeed4678a14479b6eaa62fed

    SHA256

    70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72

    SHA512

    6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca

    Download Submit
  • memory/1580-144-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-147-0x0000000010000000-0x0000000010007000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1580-158-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/2896-132-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3304-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4364-150-0x0000000000000000-mapping.dmp
    Download
  • memory/4364-152-0x0000000140000000-0x0000000140036000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4780-139-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/4780-135-0x0000000000000000-mapping.dmp
    Download