truebot | ddb7d9a6adad0668832cacc825c523ca0a89e5abb01f1279d9c12dfd5d6653dd

General

Target

10420541033.7z
Size

485KB
MD5

6c1f622da0ad98aa4481bc89da431318
SHA1

7bb2b919387519be510446f6590108ca199a8468
SHA256

ddb7d9a6adad0668832cacc825c523ca0a89e5abb01f1279d9c12dfd5d6653dd
SHA512

eb16e7bfbc27dae51ddf843d266a63593937f2409afb058deca3e25e29a4eab894659b5ea8a8f155d45442a49cce18927db45e9d8433da19785bd61590b4633b
SSDEEP

12288:3ym5oB5XD2aCEW79QeHRm3prSOiKq/I3EmloP9:be5XD2NE26eEFSOiKq/I0mlW9

Score

10^/10

truebot downloader

Malware Config

Signatures

TrueBot payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll	family_truebot

TrueBot, Silence.Downloader
A downloader attributed to Silence group first seen in 2017.
downloader truebot
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

37 220 rundll32.exe
43 220 rundll32.exe
44 220 rundll32.exe
47 220 rundll32.exe
50 220 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe

pid process

2616 baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe

flow	pid	process
37	220	rundll32.exe
43	220	rundll32.exe
44	220	rundll32.exe
47	220	rundll32.exe
50	220	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exerundll32.exerundll32.exerundll32.exe

pid	process
2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe
3808	rundll32.exe
220	rundll32.exe
2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe
8	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\Tasks\MicrosoftEdgeUpdateTaskMachineCore{1575CC8A-457A-1700-652A-6AF2B031A266}.job rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\MicrosoftEdgeUpdateTaskMachineCore{1575CC8A-457A-1700-652A-6AF2B031A266}.job	rundll32.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

220 rundll32.exe
220 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2032 OpenWith.exe

pid	process
220	rundll32.exe
220	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zG.exerundll32.exerundll32.exerundll32.exe

description	pid	process
Token: SeRestorePrivilege	2720	7zG.exe
Token: 35	2720	7zG.exe
Token: SeSecurityPrivilege	2720	7zG.exe
Token: SeSecurityPrivilege	2720	7zG.exe
Token: SeDebugPrivilege	220	rundll32.exe
Token: SeDebugPrivilege	3808	rundll32.exe
Token: SeDebugPrivilege	8	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2720 7zG.exe

pid	process
2720	7zG.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

OpenWith.exe

pid	process
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe
2032	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exebaaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.execmd.exe

description	pid	process	target process
PID 1548 wrote to memory of 2616	1548	cmd.exe	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe
PID 1548 wrote to memory of 2616	1548	cmd.exe	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe
PID 2616 wrote to memory of 4064	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	cmd.exe
PID 2616 wrote to memory of 4064	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	cmd.exe
PID 2616 wrote to memory of 220	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	rundll32.exe
PID 2616 wrote to memory of 220	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	rundll32.exe
PID 4064 wrote to memory of 3808	4064	cmd.exe	rundll32.exe
PID 4064 wrote to memory of 3808	4064	cmd.exe	rundll32.exe
PID 2616 wrote to memory of 8	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	rundll32.exe
PID 2616 wrote to memory of 8	2616	baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\10420541033.7z
1⤵
- Modifies registry class
PID:3980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2344

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\10420541033\" -ad -an -ai#7zMap11307:78:7zEvent22297
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2720

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\Desktop\10420541033\baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe
  C:\Users\Admin\Desktop\10420541033\baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C rundll32.exe "C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll",#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll",#1
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3808
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll,ChkdskExs
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll",ChkdskExs
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\10420541033\baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe

Filesize
136KB

MD5
c676fc0263edd17d4ce7d644b8f3fcd6

SHA1
83367f9b1e66efce8a1a9c07b0ca532422407eae

SHA256
baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8

SHA512
7b634e8ca83505304f0211e92177a6eece4cb9c7f8b19c3f651a71c4935e89b469efc68dd1d113b6a76ca862773112b26ba29633c8bce01a0c81879c2b93f312

Download Submit
C:\Users\Admin\Desktop\10420541033\baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8.exe

Filesize
136KB

MD5
c676fc0263edd17d4ce7d644b8f3fcd6

SHA1
83367f9b1e66efce8a1a9c07b0ca532422407eae

SHA256
baaf1d0902f454dd96589202d4f0c513b0941191fae3bddb27a207fed27d9fa8

SHA512
7b634e8ca83505304f0211e92177a6eece4cb9c7f8b19c3f651a71c4935e89b469efc68dd1d113b6a76ca862773112b26ba29633c8bce01a0c81879c2b93f312

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit
C:\Users\Admin\Desktop\10420541033\c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.dll

Filesize
1.4MB

MD5
46fe07c07fd0f45ba45240ef9aae2a44

SHA1
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

SHA256
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

SHA512
a00f0782b3ee721ef161bce5e8c5e38198997e29a1437f5e120fddb09ecc24cc714d2f6ae846c7d5b9b37694e70da65258b0b3524d9791deb2990b9769e27d03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads