Resubmissions
13-07-2024 07:04
240713-hwfcesshqg 1013-07-2024 06:54
240713-hn9w3azhnj 1024-08-2023 07:19
230824-h5hh5sah24 10Analysis
-
max time kernel
431s -
max time network
426s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
13-07-2024 06:54
General
-
Target
xml1.exe
-
Size
396KB
-
MD5
8503ea92f4c9941ee3295978729d98ba
-
SHA1
d04dfbc5b1335c8408ffb5c58bd966791f748ad3
-
SHA256
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
-
SHA512
a5dade77d81f3fc49b46d828ea653d55b921e8b65b455dd0a1fa7eba7880b3a86deff0aafd21276a86eb95be948ab61da9771343ccbc24164b31c3a5b18edaa5
-
SSDEEP
6144:omPt4BMS4GhUjjF0CBTTFCIRroPHQJ/s5xi8uwytwnhJCAfYrewWvoKMyDftxQib:ZPt4BMsOvpAHQJ0G8CAfWWvo1im
Malware Config
Extracted
trickbot
1000512
xml1
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
-
autorunName:pwgrab
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xml1.exe"C:\Users\Admin\AppData\Local\Temp\xml1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\xml1.exe"C:\Users\Admin\AppData\Local\Temp\xml1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\y57qoddc5seky.exe"C:\Windows\System32\y57qoddc5seky.exe"1⤵
-
C:\Windows\System32\niffs7.exe"C:\Windows\System32\niffs7.exe"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=niffs7.exe niffs7.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff80ccb3cb8,0x7ff80ccb3cc8,0x7ff80ccb3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4732 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3312 /prefetch:82⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,4536925635823171917,497311999984647523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\ntkrla57.exe"C:\Windows\System32\ntkrla57.exe"1⤵
-
C:\Windows\System32\securekernella57.exe"C:\Windows\System32\securekernella57.exe"1⤵
-
C:\Windows\System32\ntkrla57.exe"C:\Windows\System32\ntkrla57.exe"1⤵
-
C:\Windows\System32\CustomShellHost.exe"C:\Windows\System32\CustomShellHost.exe"1⤵
-
C:\Windows\explorer.exeexplorer.exe /NoShellRegistrationCheck2⤵
- Modifies registry class
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59e466b4837d8431be725d6b9c1b4d9ef
SHA13f247b7c89985a41d839cad351cd0fc182fcb284
SHA2562f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA51201de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
960B
MD516846df493521e84fe47cd6b6451ec8f
SHA16d99eb017c5aec08d3a7e908bbd4a051ce250c02
SHA25669f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9
SHA512aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd
-
Filesize
152B
MD5f53eb880cad5acef8c91684b1a94eed6
SHA1afab2b1015fecbc986c1f4a8a6d27adff6f6fde9
SHA2565cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27
SHA512d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794
-
Filesize
152B
MD5b0499f1feacbab5a863b23b1440161a5
SHA137a982ece8255b9e0baadb9c596112395caf9c12
SHA25641799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7
SHA5124cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260
-
Filesize
1KB
MD5cec2e50cdb5b587865eeeb931f19acf8
SHA1d1fa0d36deb6477a4c1f2c7b4158da3a5f6af1ef
SHA256506eb1e816aaa01bd9fad732214f3ce75f1e1f319670974397595b6a9529ebae
SHA51241c185ba89720576fedbc9c49a64ce7fbde5828bcac1f406f373db26c236901c1379ac2363faf062f2a827fef64022db42ddd4725af48c1bbc3e0fe9a6470ca4
-
Filesize
846B
MD51543a268dc5229cb6889301ee0201d69
SHA1afd93f64995623a3b4c36e7788c53418060d827d
SHA256179304d07d2a3d7d040ecafd6d492b8b09cf839d7b1987ddfc08ac394427155e
SHA51286763a3370991f06465f6e6167ab107ee74848346a5edd535213d5a809d32c2a220c80feb9f0960450b7e43596a1760f55252f89d9e1deb606ce94c9eca3f2b8
-
Filesize
5KB
MD58109bb68c6fe7ad87f4d34d9ec81234b
SHA1a1b231809a1cd44a7e991829b7c3542c6cb5e46c
SHA25693d367c594deff464a400310b4ae79714f1e3897cf3e9e8a5653b245cf8bdadc
SHA512372018995af0947681df776dd6a930917cf19662d23fe8435a60799250c45bc75db92f5bd0fb7db96c6bc176504b5a5f744a54eebcdf8ab2fb95076ac3ee5b5e
-
Filesize
6KB
MD555ae5c1c450fdca02414f906a2f0a5cb
SHA1f87b1c11a97aecd1c0455d64228a829c5df113e3
SHA2566ba2ccd9b24b242fd267cfe7e7db2e725cede4f346e4bb5178830abfb7c3fa30
SHA51260f6449f7f3844ed02365ba33a55497ac894aaef857b0a95c9dcca40435a805d07de5b556c231cc1462bbc3d05e66864bb7d678a33bf6ed83e1cf8ac943ec0c9
-
Filesize
6KB
MD59d0c75199897dd160864c710a054b777
SHA18a5548de52e34414aa108d532a071d832a66a541
SHA256ba9261f157397811bcd6a7ecd7d702315f1be1c695512552c5c96cbcf2ec250b
SHA512378a3da16c0ee19e2fd91c4ee914e7dfe4c60874bfe7899a375b6aa375e978fceac46e9fe20e10aed66043a2eec429f01f097a372d61851ec98e9fa9a58ce099
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5bb2ba7afcced7eede10030079bd84636
SHA1a04110238173d3a4093b674cf3551a9ffa221621
SHA2564cab751a1850413812f93105d5922992b84cf2a82b3c3ae55676bd9dcf4dcd62
SHA512178ff4e93e4d1b81119844910934d473cb615e069576f5b32fcfc7662ead36493e67c8e8aa4bf287737fe05d04331362395c79dc36e6d38089c91d729bc77ad7
-
Filesize
11KB
MD598d46b52c13da30105c651fd351e55f6
SHA13395002fd0f826e851394a424a2e2d3721b536eb
SHA25633ee471a95a7bc30b66b04312b39e58514c38fbfbb8087412706f1dc69072a80
SHA512961c9848b3fa674d87c9d4f1109bde8258234258410c90855f774a2fccd3b1ac34c120bd788b6e7a57e7d222815d0ce25009549557db7d8f99698a6244153122
-
Filesize
10KB
MD5c7e6c4fe75def133faaad5143dd9866b
SHA116c306f0f07a1eb20a184a055e7d00dae5c1be2e
SHA25693a3517d19755945a0e9a7f896bb4df74f0872ab515779b5919f8a06eb5732ed
SHA5123f32f7d849fd6d5e064a4f67733f1d8cba9ede77e515e175283682055a4e2f9bce65dd5ef82239266c1dc58aa708905f677fa557f3261d20c5de55b64a9182e9
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
32KB
-
Filesize
1.1MB