Overview

overview

10

Static

static

1

8b53583564...49.exe

windows7-x64

10

8b53583564...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b535835648e9b123abe3bc278419349.exe

  • Size

    1.2MB

  • MD5

    8b535835648e9b123abe3bc278419349

  • SHA1

    0650bacf01e9f3e41be961f2ee9b4eb661e064a0

  • SHA256

    f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f

  • SHA512

    023892b6b4fff0f6ce23a42132e37dc624d445417d31d307fba3e8f92f4f047fbfb2c77d59260a16136bed2e5d19ee87e5142a1c98515c1bd622272f7225e54f

  • SSDEEP

    24576:aQCxw3cNf8dX1B5GhIviV81pTXSg/vVDlIBPWjlryy7zcivN:aQi5f8dlLGC6G/TXJli4jlh7zzl

Score
10/10
trickbotbankerpersistencetrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe
    "C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c izXS
      2⤵
        PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode Popolato.swf Illusione.xps
          3⤵
          • Manipulates Digital Signatures
          PID:3736
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4136
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm
            4⤵
              PID:2268
            • C:\Windows\SysWOW64\certutil.exe
              certutil -decode Turba.csv W
              4⤵
                PID:556
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                Tu.com W
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4816
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3292
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
                    6⤵
                    • Executes dropped EXE
                    PID:380
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 12
                      7⤵
                      • Program crash
                      PID:2784
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 30
                4⤵
                • Runs ping.exe
                PID:4024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 380
          1⤵
            PID:1588

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Subvert Trust Controls

          1
          T1553

          SIP and Trust Provider Hijacking

          1
          T1553.003

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstm
            Filesize

            921KB

            MD5

            35fde30343a8651ad541e796d764a052

            SHA1

            66b2c2b29f3f666ed4b290e7e48650cb4b20e303

            SHA256

            0ece2aec545f79a310010bf1b36dad830944f8f089afee9141cd260f95c36b59

            SHA512

            3aa2f31d1525867ccedb7161a9647c9d275fc61f58cd31599e05ae2dda0643f3b5b7234c61f260d583a74b17eaecbceb2e3e4b6a6a386b164c9bbf1d2b9a38b4

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xps
            Filesize

            27KB

            MD5

            2b7d94cc6c10c0bdf0a6680991672fa7

            SHA1

            0929b3d2134cc6abe27b32fa08eb3a80c7200cb3

            SHA256

            d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd

            SHA512

            931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Infinita.flv
            Filesize

            235KB

            MD5

            c4e07c0bfe2859c8ff06a483545792e6

            SHA1

            1456bbcd34f0e912106a80bdffc61c5a4f6dc50f

            SHA256

            8cee33a6f40743340b93c2f175f4beed55f878f1e9fb00b7478ee0b1e73528df

            SHA512

            15d30aecdb96fd4510fec7b7d93d967bef7ad7ea1ee3094b7d80e6ce7476a1591afb32d7fb6328bee3aa8db4d36c3f118a96f1716697647cc7d6bad31a02067b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swf
            Filesize

            38KB

            MD5

            617289b98bf0f2b52f3b16654dc2c568

            SHA1

            0b59918c027484c0ad4263ccccde302eb6d656fd

            SHA256

            842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e

            SHA512

            7dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
            Filesize

            921KB

            MD5

            78ba0653a340bac5ff152b21a83626cc

            SHA1

            b12da9cb5d024555405040e65ad89d16ae749502

            SHA256

            05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

            SHA512

            efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csv
            Filesize

            910KB

            MD5

            5d61882d714cd3e72f6b2ca2d88a456f

            SHA1

            85315e2ad09edb0051062c929c7d966589ac8340

            SHA256

            fa783d9734141a1a55d08299f3a92e5b75645b2ad979ec005df47730f53ff50a

            SHA512

            9c4450a04526990455850f94bc140aafd439657f3acecaefd826cdc579e47bad91e00c64dba7ca5f8726a36195579489283bfdd6f7e9fc0ff9fd40ef88731291

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
            Filesize

            661KB

            MD5

            0e10494978a9abfb9c454abf2a8b48b7

            SHA1

            04c1c65e8f3a5b8b21beee53f87e661ee4d7f4fa

            SHA256

            0cb9656846770fa2f1c6c279d762e3b5a2dd68c18d972982c2ee075d6d7f62b1

            SHA512

            742b8a3a01ef8a3299d72e049f2f8556b7e89ec8ca71298293e52f5b9bb21cfc4d06fc083db7dc49f6df930d50121ac7f28c288c2673aef5fc95348f29d21acf

            Download Submit
          • memory/380-24-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/380-28-0x00000000003D0000-0x00000000003D0000-memory.dmp
            Download
          • memory/3292-23-0x00000000003A0000-0x00000000003A1000-memory.dmp
            Filesize

            4KB

            Download