Analysis

  • max time kernel
    26s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2023, 15:44 UTC

General

  • Target

    6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe

  • Size

    368KB

  • MD5

    362066c84500cbdd1a11ab6269eb58cb

  • SHA1

    5e8f26c150d985ee7605c6adaad3009fb1c48a48

  • SHA256

    6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

  • SHA512

    4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:emSuOcHmnYhrDMTrban4q6

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 2 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 3 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
    "C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
    • C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-264077997-199365141-898621884-1000\0f5007522459c86e95ffcc62f32308f1_f28ecae2-865f-4060-84c2-613a33c8d0fd

      Filesize

      1KB

      MD5

      3e6b655239c678ebb07e01a8b6c0d595

      SHA1

      ff814c35f72584dba6f4f4bb4adfbe0645cb3a78

      SHA256

      9781631edc33066ff36414a07f1862b5bb270c7dc08b79c27917a12ee1bf3fbc

      SHA512

      527edc86574e60500bccfa214231dab3b7799954893ca84a1d6156d1a3cd838f82fd115fa13785ce7e9e4d6ed3bd2dd5dcacb0574c1e3d939b0e51b411a7af0a

    • C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

      Filesize

      368KB

      MD5

      362066c84500cbdd1a11ab6269eb58cb

      SHA1

      5e8f26c150d985ee7605c6adaad3009fb1c48a48

      SHA256

      6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

      SHA512

      4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

    • \Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

      Filesize

      368KB

      MD5

      362066c84500cbdd1a11ab6269eb58cb

      SHA1

      5e8f26c150d985ee7605c6adaad3009fb1c48a48

      SHA256

      6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

      SHA512

      4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

    • memory/1432-76-0x0000000002510000-0x0000000002550000-memory.dmp

      Filesize

      256KB

    • memory/1432-77-0x0000000002510000-0x0000000002550000-memory.dmp

      Filesize

      256KB

    • memory/2108-69-0x0000000010000000-0x000000001001F000-memory.dmp

      Filesize

      124KB

    • memory/2108-78-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

    • memory/2168-61-0x0000000000140000-0x0000000000169000-memory.dmp

      Filesize

      164KB

    • memory/2328-64-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

    • memory/2328-73-0x00000000000F0000-0x0000000000119000-memory.dmp

      Filesize

      164KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.