Overview

overview

10

Static

static

1

8b53583564...49.exe

windows7-x64

10

8b53583564...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b535835648e9b123abe3bc278419349.exe

  • Size

    1.2MB

  • MD5

    8b535835648e9b123abe3bc278419349

  • SHA1

    0650bacf01e9f3e41be961f2ee9b4eb661e064a0

  • SHA256

    f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f

  • SHA512

    023892b6b4fff0f6ce23a42132e37dc624d445417d31d307fba3e8f92f4f047fbfb2c77d59260a16136bed2e5d19ee87e5142a1c98515c1bd622272f7225e54f

  • SSDEEP

    24576:aQCxw3cNf8dX1B5GhIviV81pTXSg/vVDlIBPWjlryy7zcivN:aQi5f8dlLGC6G/TXJli4jlh7zzl

Score
10/10
trickbotmor1bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

C2

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe
    "C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c izXS
      2⤵
        PID:4660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode Popolato.swf Illusione.xps
          3⤵
          • Manipulates Digital Signatures
          PID:3848
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4756
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm
            4⤵
              PID:2932
            • C:\Windows\SysWOW64\certutil.exe
              certutil -decode Turba.csv W
              4⤵
                PID:4484
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                Tu.com W
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1112
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:4196
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:736
                    • C:\Windows\system32\wermgr.exe
                      C:\Windows\system32\wermgr.exe
                      7⤵
                        PID:2332
                      • C:\Windows\system32\wermgr.exe
                        C:\Windows\system32\wermgr.exe
                        7⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2264
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 428
                        7⤵
                        • Program crash
                        PID:4908
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 30
                  4⤵
                  • Runs ping.exe
                  PID:468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 736 -ip 736
            1⤵
              PID:440

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Subvert Trust Controls

            1
            T1553

            SIP and Trust Provider Hijacking

            1
            T1553.003

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstm
              Filesize

              921KB

              MD5

              35fde30343a8651ad541e796d764a052

              SHA1

              66b2c2b29f3f666ed4b290e7e48650cb4b20e303

              SHA256

              0ece2aec545f79a310010bf1b36dad830944f8f089afee9141cd260f95c36b59

              SHA512

              3aa2f31d1525867ccedb7161a9647c9d275fc61f58cd31599e05ae2dda0643f3b5b7234c61f260d583a74b17eaecbceb2e3e4b6a6a386b164c9bbf1d2b9a38b4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xps
              Filesize

              27KB

              MD5

              2b7d94cc6c10c0bdf0a6680991672fa7

              SHA1

              0929b3d2134cc6abe27b32fa08eb3a80c7200cb3

              SHA256

              d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd

              SHA512

              931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Infinita.flv
              Filesize

              64KB

              MD5

              b231d256ddf08027e0a15adcd0e066be

              SHA1

              0fad9a3cd47ee6d9a2edd1dbca0359d6eca5a7b2

              SHA256

              9e6665471e6495f027aea9515a9c04ad59195a93a152b1ab7065e0ad626337e2

              SHA512

              ac0cb5651ab5658c40cb1adbf40d3572a7502c4242b4923069f6a95fb44116a4af2e5efb6921df5c835788cad3a01403a8fc6dff1f7f3b41b0e8ddd9879d826d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swf
              Filesize

              38KB

              MD5

              617289b98bf0f2b52f3b16654dc2c568

              SHA1

              0b59918c027484c0ad4263ccccde302eb6d656fd

              SHA256

              842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e

              SHA512

              7dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
              Filesize

              921KB

              MD5

              78ba0653a340bac5ff152b21a83626cc

              SHA1

              b12da9cb5d024555405040e65ad89d16ae749502

              SHA256

              05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

              SHA512

              efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
              Filesize

              155KB

              MD5

              2ac74e102f6371637ebd8357d56fe6a4

              SHA1

              4937d455ae014014e00ea02ce40d8dee81834981

              SHA256

              cf84d280b6c8129121c926aaa78e005dba4875912e7312dc7ccdfcc88b2119ca

              SHA512

              f25d2ef1ff92859fb5a7c286807dbbe69e96eff7406f4ead798fcf73e35e54ba1eb9bb330efc7672eae4bfba7a76348e0bb7f9a05aa3b8ad9bcabe97f367e5c2

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csv
              Filesize

              910KB

              MD5

              5d61882d714cd3e72f6b2ca2d88a456f

              SHA1

              85315e2ad09edb0051062c929c7d966589ac8340

              SHA256

              fa783d9734141a1a55d08299f3a92e5b75645b2ad979ec005df47730f53ff50a

              SHA512

              9c4450a04526990455850f94bc140aafd439657f3acecaefd826cdc579e47bad91e00c64dba7ca5f8726a36195579489283bfdd6f7e9fc0ff9fd40ef88731291

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
              Filesize

              105KB

              MD5

              73cb840dc107672151b3cb6ef95b70e2

              SHA1

              9d9a5bc3c7b6728ce640dc3c28496b542690eab7

              SHA256

              0380ba798ec8777467ae845731898a9cd47129553cf890479ed435eac983f3ac

              SHA512

              d6ffd65b382dc494d8386b2cfc1a2c89dd65f8befffaf1e5c9d9f00aaeeea5e423bd53a03480cc40782b68251cc7f3b9f518411df80ade537348d374ee57fedd

              Download Submit
            • memory/736-74-0x0000000010000000-0x0000000010003000-memory.dmp
              Filesize

              12KB

              Download
            • memory/736-24-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/736-73-0x0000000000E60000-0x0000000000E61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2264-75-0x000001DFA54D0000-0x000001DFA54D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2264-76-0x000001DFA5440000-0x000001DFA5468000-memory.dmp
              Filesize

              160KB

              Download
            • memory/2264-77-0x000001DFA5440000-0x000001DFA5468000-memory.dmp
              Filesize

              160KB

              Download
            • memory/4196-23-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
              Filesize

              4KB

              Download