Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

87936f0b8f...8a.dll

windows7-x64

10

87936f0b8f...8a.dll

windows10-2004-x64

10

Resubmissions

04/02/2024, 06:32

240204-ha3wlabef8 10

04/02/2024, 06:29

240204-g88n3abec4 10

04/02/2024, 06:26

240204-g7nmhabdh2 10

01/02/2024, 22:12

240201-14kwzshdhm 10

01/02/2024, 21:43

240201-1k7xeaegc9 10

01/02/2024, 18:25

240201-w23lsseagn 10

Analysis

  • max time kernel
    216s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87936f0b8f079c7f722ab91029cc3f8a.dll

  • Size

    462KB

  • MD5

    87936f0b8f079c7f722ab91029cc3f8a

  • SHA1

    3e6a4041ed2be36ef85ccde8f170b75607887dfe

  • SHA256

    a1dd74d7301bf8d504449071142c81113bcd4d0c88fee46e7bacf550495a72bc

  • SHA512

    fbda002b393bf96b1c338a960c7694fa63ff97860bb5a9e7fe37d887d56243b0568d4b63cebc1e7079fd8ca2f4d9ab67f3c53d6b5bd0532f6b141f9bb9ed9a79

  • SSDEEP

    6144:7bVPXLakbTqht5o+nKivd8Z4sPYwp4KltOzlZRMCKy6fcWWHDecHAI3C+8hkBt:db4DmavdW4svpLtmRlKMHDuIyct

Score
10/10
trickbotzev4bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev4

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: LoadsDriver 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4540
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.0.198050367\1578867038" -parentBuildID 20221007134813 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3c3f5e1-64eb-40bf-a9f5-5587d9c7e8f0} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2024 2952fbd5658 gpu
        3⤵
          PID:760
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.1.1182255948\2009416831" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db04906e-4743-4aac-b38a-920b3fce6d9d} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2440 2951bc72b58 socket
          3⤵
            PID:4336
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.2.2002090413\1116540503" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2944 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1f0f90b-ab92-4e1f-864d-22f353465a0b} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2972 295339a2258 tab
            3⤵
              PID:3436
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.3.1024179934\82361046" -childID 2 -isForBrowser -prefsHandle 2464 -prefMapHandle 1072 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a6d428b-e701-4dce-9c6e-e637517b8b7b} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 3612 2952fbd5f58 tab
              3⤵
                PID:904
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.4.1564304252\712964830" -childID 3 -isForBrowser -prefsHandle 3488 -prefMapHandle 3900 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8d1c2f3-34a9-4ce1-a784-3b597074cedb} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2464 295346d0258 tab
                3⤵
                  PID:1484
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.6.488809842\444505557" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4912 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f929288e-1340-40e9-9052-b4fb9c81ecb5} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5104 295351a4b58 tab
                  3⤵
                    PID:1176
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.5.1032521288\434214146" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {561c44e2-f1c8-45eb-bb69-d49e0cf111a5} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4936 29531cbc158 tab
                    3⤵
                      PID:1872
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.7.460037945\390218058" -childID 6 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96bb344a-a202-4b7b-81b4-308a45702fda} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5420 295351a3058 tab
                      3⤵
                        PID:1280
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.8.1124641251\230069610" -childID 7 -isForBrowser -prefsHandle 5808 -prefMapHandle 5780 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ed44b9-791c-4a94-a436-a12054eb1d00} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5816 295353a3058 tab
                        3⤵
                          PID:1544
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.9.1654229078\1435278565" -childID 8 -isForBrowser -prefsHandle 3776 -prefMapHandle 5560 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1048 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b76a7aa-e767-4ba9-ab94-9a8cc2d75726} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 3716 2953779cb58 tab
                          3⤵
                            PID:3360
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:4556

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\stdidscq.default-release\cache2\doomed\23421
                          Filesize

                          10KB

                          MD5

                          16f08312a100423ae16e1e26fee30ee8

                          SHA1

                          eea6a8ac7e6ac294896b7a7dd5aa6b22fed1d104

                          SHA256

                          4db5987586d8466832cfe45c84b03fcd73db2b98040956f8adc4bdd30645cfe2

                          SHA512

                          a094f3421719f0fa6e2c95d2db789f8087d46968a45cd943e7ebb08b8b10496c8223175d3ee550edadc0d2be47063016542403c404e58e4bdacd182a2cd96c29

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          d84b6df3d6e6ca2332abfed192cac726

                          SHA1

                          2666d81217d2619bc09a1040d530a81e3fca3721

                          SHA256

                          a850634ac76520f5fca70229a2084ab5d715b779d01db810dd0313b66fa37a46

                          SHA512

                          201e5760fd83ea9e378f957396ea2a98ceaba710f6a33ab5ebb6e88b24fe38a49e752043b154bd991280b01a7c5714a78ac84afb46a70ca06a87f619802c9b10

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\5c6755b8-6165-4608-ae63-8d60aac20b85
                          Filesize

                          10KB

                          MD5

                          0f6e514a6ef26f1e263131d8a3b1ddbc

                          SHA1

                          4b240b4b07126f226b02120b2e7d3758102c673e

                          SHA256

                          bd768c6c6d74a99dd822582d0b3cfd7d2dc1f38a7b3621039777f24365369d5b

                          SHA512

                          e08c5b0997b469e2acf034a60feeee6e1e25df3d834fd2346400b1d3afa08cd8ef07fe0cf11b335327b6dae005e0bef6f365ffcbe8eb3783bb64247f27bdf319

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\a26b59b6-9f5d-4e45-af51-a6feecafdced
                          Filesize

                          746B

                          MD5

                          b547ebc93c68eabab76eccfe23bc97aa

                          SHA1

                          0f9965018f2f0449d284094575dd22fa93f4abea

                          SHA256

                          5032f122db945119beb7f63b2e91a63f89b445943661c0e0b4a0d8919d93a553

                          SHA512

                          a8d77cef128a6890a5ac78b566aafd95ed36844aa67b9c838a0d3702ba0c08276c76f79f70a948d8697476b8b2847cc250bb14aaee0be78d0f5c801b374f7b77

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          81aa307549ab6788d88853f48d59f886

                          SHA1

                          06551a6f05ac3ae507a6ceec9cd3a6f1455a784d

                          SHA256

                          da82928ac540d9525e091013029c9834e18aff2707c53166899c80f4723817b5

                          SHA512

                          ac9624d92785f0b382de85c41e0445e45363a2a3877fc26beedec08d3336bd5fe71797517bb5c39218025a76f40a54a04d59bc8acf335a1997f7be2bbdeab7d7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          b4dc13e9808d7b26c27b1a0230b83efc

                          SHA1

                          486520e0298c0f5ff48977968d1fb4b0519fd53d

                          SHA256

                          4ee2d5c7f6f7982b2144337e60373ec042efb8c68490948442d9546e9faca4b3

                          SHA512

                          3c8518d0059a0b6a1301beb404fa5b0ec01ef51f1d18b16e8c122dd97aa8e7cb9bc2e0e91a206e12e9857aa107c573af4198b8b194464147855e5325c7031a83

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          e66864bff38011a05ba4bd4ea9485827

                          SHA1

                          7de35b49f6f18a6b12a227c77c5686bdb01fd5c4

                          SHA256

                          91d6c8e568391ab3c6e4c1d233f52d5f7942b2f8736752b6e17191f2c5eba80d

                          SHA512

                          d589292d5034b90f8c09fadf44c00340eb6a4f0a936b7ba0f69747cc392ef80df6f6234209996a8eeab61e03f1179d085253cfa5b8912ab0e8ba81c6ef4d2518

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          5KB

                          MD5

                          2189a8516340b83a8937dc72d86b111c

                          SHA1

                          ba0ee768229a8fee08aedf2fa739a961c13f5b13

                          SHA256

                          890870cf267425f76cdaef6432b3d9964eb80f6082798d257f6a4601bf4dabb9

                          SHA512

                          b990d88e5f04df096fbf658962b62e1d2a6fa82f455788ae41ff3f214fba12db33a6f21817d0e901ea643a8bc7a4214ae2ec4419d03e433c7019e7d19908058f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          6KB

                          MD5

                          c8025a21cf6e87d60129656b2a16a515

                          SHA1

                          76cffd5265b4436dd8675cd62f5fd1d270c3d561

                          SHA256

                          f01f5f1c601c6bc32562766abaa72d568da34d862c91fc73c101e5e6f15b0469

                          SHA512

                          6fe870170bd56b0d826ac6f534b38b8bde9233cb3e54bb77bad73984c7cf325e9b75f5c838b4b7bc247ac9e2e0b8f35ca07ea444814294600ead72b6fbc8b054

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          af9ffdfbb68a1e6bdf4c15481eb7e7e7

                          SHA1

                          d1fdb581cdda9dfedb599f487ecb4ae05ca8bce3

                          SHA256

                          fe6fb2afcd10a5c5004878cad3e824c3dc9fb3d38d7b609989b1db8ad51be8ba

                          SHA512

                          c2ecca9f0ea4c2f6f8704729f7fecdd7c05b9cd7a678595feeb8e9bab2f8d0bedae41310caa59424f21447d0cbcbe355d65a4419a38b553bdf1bfcc1e094d678

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          6KB

                          MD5

                          8402cc5117b6225248b4ea740b78d9bb

                          SHA1

                          b30ce581e8d66bafec951b65497b53bd7354355f

                          SHA256

                          8ee0c10bd0067782d3ffdbd3e33933da7dbb1d3f4584c76d82441c3bd83b045b

                          SHA512

                          873a9ba36f03d34ef8c9f621236f00c150c47086b179377b64234326f6e6753e0fd10c04f1865e72f7bcf21893d4ea5939b6124324447969938891e49316518a

                          Download Submit

                        • C:\Users\Admin\Downloads\mYL6TO-j.zip.part
                          Filesize

                          8KB

                          MD5

                          a043dc5c624d091f7c2600dd18b300b7

                          SHA1

                          4682f79dabfc6da05441e2b6d820382ff02b4c58

                          SHA256

                          0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

                          SHA512

                          ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

                          Download Submit

                        • memory/2920-7-0x0000000010000000-0x0000000010003000-memory.dmp

                          Filesize

                          12KB

                          Download

                        • memory/2920-6-0x0000000001430000-0x0000000001470000-memory.dmp

                          Filesize

                          256KB

                          Download

                        • memory/2920-0-0x0000000002DE0000-0x000000000303D000-memory.dmp

                          Filesize

                          2.4MB

                          Download

                        • memory/2920-3-0x0000000010000000-0x0000000010003000-memory.dmp

                          Filesize

                          12KB

                          Download

                        • memory/2920-2-0x0000000001490000-0x0000000001491000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2920-1-0x0000000001430000-0x0000000001470000-memory.dmp

                          Filesize

                          256KB

                          Download

                        • memory/4540-8-0x000001FF92950000-0x000001FF92978000-memory.dmp

                          Filesize

                          160KB

                          Download

                        • memory/4540-5-0x000001FF92950000-0x000001FF92978000-memory.dmp

                          Filesize

                          160KB

                          Download

                        • memory/4540-4-0x000001FF92AB0000-0x000001FF92AB1000-memory.dmp

                          Filesize

                          4KB

                          Download