Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 17:07

General

  • Target

    a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe

  • Size

    368KB

  • MD5

    47f1d885fac2c01cce8ba63245fc3f7c

  • SHA1

    bf1c2aa2d3285f6632a10d56e65c0281032f7a0c

  • SHA256

    a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e

  • SHA512

    a3967d47ef3c9e4e4352055a5132ed4c8b1d4b5e4ce874a688eb780c1f213a36ff2a9ef44911a7c100af4f520c1003d0c07eb92aa73e551cf7d95a97f29a7719

  • SSDEEP

    6144:Fo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:FmSuOcHmnYhrDMTrban4q6

Score
10/10

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
    "C:\Users\Admin\AppData\Local\Temp\a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
      C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1328
    • C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
      C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:2772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-384068567-2943195810-3631207890-1000\0f5007522459c86e95ffcc62f32308f1_89cda556-130e-4f17-88ab-af18fe5b92e6

        Filesize

        1KB

        MD5

        c388d341c95a1f4dbbd5e8beae4926a8

        SHA1

        34f4e385e48155505d9e85bbae8e1d0f1dbc1149

        SHA256

        fcc63781c5eeffb4a4a55c687039310e4b710090c7bd2e53484df086cd64ca82

        SHA512

        e606fb6324d01e3018b23e4ebfc0549a07c3921ddd53fad1b5c9aecd0dcf143860158cf07a7911155c344b2a0df4d2b900824391a26a79ee7270433cd2e3730a

      • C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe

        Filesize

        368KB

        MD5

        47f1d885fac2c01cce8ba63245fc3f7c

        SHA1

        bf1c2aa2d3285f6632a10d56e65c0281032f7a0c

        SHA256

        a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e

        SHA512

        a3967d47ef3c9e4e4352055a5132ed4c8b1d4b5e4ce874a688eb780c1f213a36ff2a9ef44911a7c100af4f520c1003d0c07eb92aa73e551cf7d95a97f29a7719

      • memory/1328-16-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

      • memory/1328-23-0x0000021E1D2C0000-0x0000021E1D2C1000-memory.dmp

        Filesize

        4KB

      • memory/2772-44-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

      • memory/2880-28-0x0000000000D90000-0x0000000000DB9000-memory.dmp

        Filesize

        164KB

      • memory/2880-42-0x0000000000D90000-0x0000000000DB9000-memory.dmp

        Filesize

        164KB

      • memory/2880-41-0x00000000013C0000-0x0000000001689000-memory.dmp

        Filesize

        2.8MB

      • memory/2880-40-0x0000000001300000-0x00000000013BE000-memory.dmp

        Filesize

        760KB

      • memory/2880-36-0x00000000012E0000-0x00000000012E1000-memory.dmp

        Filesize

        4KB

      • memory/2960-6-0x0000000000A50000-0x0000000000A79000-memory.dmp

        Filesize

        164KB

      • memory/2960-1-0x0000000000A50000-0x0000000000A79000-memory.dmp

        Filesize

        164KB

      • memory/3068-9-0x0000000001510000-0x0000000001539000-memory.dmp

        Filesize

        164KB

      • memory/3068-21-0x00000000034C0000-0x0000000003789000-memory.dmp

        Filesize

        2.8MB

      • memory/3068-24-0x0000000001510000-0x0000000001539000-memory.dmp

        Filesize

        164KB

      • memory/3068-20-0x0000000003400000-0x00000000034BE000-memory.dmp

        Filesize

        760KB

      • memory/3068-22-0x0000000001680000-0x0000000001681000-memory.dmp

        Filesize

        4KB

      • memory/3068-11-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB