Resubmissions
19-07-2023 06:20
230719-g3xdvagb67 1009-07-2023 07:36
230709-jfjkksbb93 1009-07-2023 07:21
230709-h61fcabh6t 10Analysis
-
max time kernel
1782s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
19-07-2023 06:20
General
-
Target
83817ff8228a54exeexeexeex.exe
-
Size
527KB
-
MD5
83817ff8228a54ebef4c323a770e5481
-
SHA1
8fbc2b17032af8a7ce7c3065305892854277cfa9
-
SHA256
23b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
-
SHA512
e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
SSDEEP
12288:Zx1Q61iHsXYvfVpMODDawkCurdEtttY4jVHVEGGJL:ZXQUIsQpMsequrmGmVEjZ
Malware Config
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 10 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\83817ff8228a54exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\83817ff8228a54exeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\аНаоすは래별.exe"C:\ProgramData\аНаоすは래별.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeC:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeC:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeC:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5815494c1565d6f512e25d0d0ac396d0a
SHA1f67b40b0c8972cc4f5e322044ae83d5a2d953559
SHA256958afa4bfd0f9e5dba2992593cff21a948557305fd665c1daea09d22f5ba205e
SHA512315f556dfc436a72112855ead04a0f348f99e656c6291fd604169cf7a4ee52f4fa94e2f97992116d52b366a21c1bc491c004b8275fb5c6ab8557aa4c9476e585
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
17KB
MD5ff930f8a47b91c7b024f1ff2949b5841
SHA1aeaba4ab21ba76566f33cd7c9cd7272dea1ae172
SHA25633f7cafbfa0f5fafc62f8733231f12a6a41f6a782118db6cd914e334586f30a9
SHA512af507769be6e43ebf0c713ad91dc2c366b49b00e8d293c3a467ba21feb382de10ea7793d0699cf72a76d1c9723c4fc861c65b78cb6e8fbdcd5c219b94a32bc04
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
527KB
MD583817ff8228a54ebef4c323a770e5481
SHA18fbc2b17032af8a7ce7c3065305892854277cfa9
SHA25623b52343e9f52f72d0bb7b3d0ecc74a54c812f5b8f1143ef10daca23977858ee
SHA512e1606094ebe36b18847b8e63c4e5bdc72827bc498261ed4f9356e143d6c6686187a7663b2b8b9b17f06d65df9f3e8084e74c9091dede372d018bd8ade547c45c
-
Filesize
20KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
20KB
-
Filesize
184KB
-
Filesize
176KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
20KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB