Overview

overview

10

Static

static

3

6a70d87899...b6.exe

windows7-x64

10

6a70d87899...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    26s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2023, 15:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe

  • Size

    368KB

  • MD5

    362066c84500cbdd1a11ab6269eb58cb

  • SHA1

    5e8f26c150d985ee7605c6adaad3009fb1c48a48

  • SHA256

    6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

  • SHA512

    4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:emSuOcHmnYhrDMTrban4q6

Score
10/10
trickbotbankerevasiontrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 2 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
    "C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
    • C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-264077997-199365141-898621884-1000\0f5007522459c86e95ffcc62f32308f1_f28ecae2-865f-4060-84c2-613a33c8d0fd
      Filesize

      1KB

      MD5

      3e6b655239c678ebb07e01a8b6c0d595

      SHA1

      ff814c35f72584dba6f4f4bb4adfbe0645cb3a78

      SHA256

      9781631edc33066ff36414a07f1862b5bb270c7dc08b79c27917a12ee1bf3fbc

      SHA512

      527edc86574e60500bccfa214231dab3b7799954893ca84a1d6156d1a3cd838f82fd115fa13785ce7e9e4d6ed3bd2dd5dcacb0574c1e3d939b0e51b411a7af0a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      Filesize

      368KB

      MD5

      362066c84500cbdd1a11ab6269eb58cb

      SHA1

      5e8f26c150d985ee7605c6adaad3009fb1c48a48

      SHA256

      6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

      SHA512

      4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

      Download Submit

    • \Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
      Filesize

      368KB

      MD5

      362066c84500cbdd1a11ab6269eb58cb

      SHA1

      5e8f26c150d985ee7605c6adaad3009fb1c48a48

      SHA256

      6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

      SHA512

      4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

      Download Submit

    • memory/1432-76-0x0000000002510000-0x0000000002550000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1432-77-0x0000000002510000-0x0000000002550000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2108-69-0x0000000010000000-0x000000001001F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2108-78-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2168-61-0x0000000000140000-0x0000000000169000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2328-64-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2328-73-0x00000000000F0000-0x0000000000119000-memory.dmp

      Filesize

      164KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.