Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11-03-2023 15:50
General
-
Target
b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172.exe
-
Size
368KB
-
MD5
8402ab33eafb84178069f8f490ca604d
-
SHA1
516c7a538e93f7cf4bff29196511f94e5fbb5a40
-
SHA256
b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172
-
SHA512
ef0953826940f1eb6a596ed312d908b1e373e61972d8efbd2336425a7f13e6846c0f7341be2c78ac47c7786bacbe94336dcc51d0b270f8aaaa4842256da9ab97
-
SSDEEP
6144:jo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qM:jmSuOcHmnYhrDMTrban4qM
Malware Config
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172.exe"C:\Users\Admin\AppData\Local\Temp\b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WNetval\b8cbc6e6dc192c9d99909cd74d37834abeb7bfac16e7efc2ebcc2c68264bf182.exeC:\Users\Admin\AppData\Roaming\WNetval\b8cbc6e6dc192c9d99909cd74d37834abeb7bfac16e7efc2ebcc2c68264bf182.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1914912747-3343861975-731272777-1000\0f5007522459c86e95ffcc62f32308f1_7cb1702c-0be5-45ad-8dac-6cdb371ef9ccFilesize
1KB
MD5996ae25582b956b3d31e988d53bc5f83
SHA17fa174bd94ecb0808368d182295733360cf0cb70
SHA25636aff1996550516c721295a17272e6ea7c042f695969c075f97802a0d61046eb
SHA5122b077ea9f47c3dd6e570ee6d0092ba1edadcaa6768e08642a1e55ef89863aaafaf9a4b97dbf3f9b9f77a89171fb1d39c49baae2ae0c5a275c4e722f02ccf9d54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7GB9MMR7DHD2M4WC7VH0.tempFilesize
7KB
MD54b2c3ac7998b5dcf4e8725bb1dbd12bf
SHA18a4e66075ca3dff9a3ebd47a0981c7b547444310
SHA256b474fa872dc0bb4ebcaa7240df2704b5fd6a2c707e1682d8f498356f6a61a440
SHA512d44edefd41b555b540ddf2a1c670dfbd37707d8e3bd44515b3dece770d5bf68fec2f07f385fe506581885d25edb4ff8b7ac9ec099ea892e616d8a3f04df90544
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD54b2c3ac7998b5dcf4e8725bb1dbd12bf
SHA18a4e66075ca3dff9a3ebd47a0981c7b547444310
SHA256b474fa872dc0bb4ebcaa7240df2704b5fd6a2c707e1682d8f498356f6a61a440
SHA512d44edefd41b555b540ddf2a1c670dfbd37707d8e3bd44515b3dece770d5bf68fec2f07f385fe506581885d25edb4ff8b7ac9ec099ea892e616d8a3f04df90544
-
C:\Users\Admin\AppData\Roaming\WNetval\b8cbc6e6dc192c9d99909cd74d37834abeb7bfac16e7efc2ebcc2c68264bf182.exeFilesize
368KB
MD58402ab33eafb84178069f8f490ca604d
SHA1516c7a538e93f7cf4bff29196511f94e5fbb5a40
SHA256b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172
SHA512ef0953826940f1eb6a596ed312d908b1e373e61972d8efbd2336425a7f13e6846c0f7341be2c78ac47c7786bacbe94336dcc51d0b270f8aaaa4842256da9ab97
-
\Users\Admin\AppData\Roaming\WNetval\b8cbc6e6dc192c9d99909cd74d37834abeb7bfac16e7efc2ebcc2c68264bf182.exeFilesize
368KB
MD58402ab33eafb84178069f8f490ca604d
SHA1516c7a538e93f7cf4bff29196511f94e5fbb5a40
SHA256b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6efc2ebcc2c57254bf172
SHA512ef0953826940f1eb6a596ed312d908b1e373e61972d8efbd2336425a7f13e6846c0f7341be2c78ac47c7786bacbe94336dcc51d0b270f8aaaa4842256da9ab97
-
memory/1040-64-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/1040-66-0x0000000000190000-0x00000000001B9000-memory.dmpFilesize
164KB
-
memory/1040-74-0x0000000000190000-0x00000000001B9000-memory.dmpFilesize
164KB
-
memory/1116-59-0x0000000000150000-0x0000000000179000-memory.dmpFilesize
164KB
-
memory/1492-82-0x0000000002770000-0x00000000027B0000-memory.dmpFilesize
256KB
-
memory/2036-70-0x0000000010000000-0x000000001001F000-memory.dmpFilesize
124KB
-
memory/2036-83-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB