Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
7fb1de391d2e8956aab8a707ba7047b0N.exe
Resource
win7-20240705-en
General
-
Target
7fb1de391d2e8956aab8a707ba7047b0N.exe
-
Size
368KB
-
MD5
7fb1de391d2e8956aab8a707ba7047b0
-
SHA1
b4596d683f948181068395159cf245d7faf5617a
-
SHA256
e31ace5602fa7c78e8a7c73efded326053a27ee8b94a868e3487c798803d8f3b
-
SHA512
32b7e4773585434eabc057f3af32c08726bf347bac1a3375b87cff22e1b8498b90821f918047778a7e22add83293dcc08d3ccdb8c74ae0a75616f1cd39153305
-
SSDEEP
6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q0:emSuOcHmnYhrDMTrban4q0
Malware Config
Signatures
-
Trickbot x86 loader 4 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2272-1-0x0000000000180000-0x00000000001A9000-memory.dmp trickbot_loader32 behavioral1/memory/2272-7-0x0000000000180000-0x00000000001A9000-memory.dmp trickbot_loader32 behavioral1/memory/3012-10-0x0000000000080000-0x00000000000A9000-memory.dmp trickbot_loader32 behavioral1/memory/3012-20-0x0000000000080000-0x00000000000A9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 1328 8fb1de391d2e9967aab9a808ba8048b0N.exe -
Loads dropped DLL 1 IoCs
pid Process 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe -
pid Process 2796 powershell.exe 2176 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2740 sc.exe 2124 sc.exe 2248 sc.exe 2612 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fb1de391d2e8956aab8a707ba7047b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fb1de391d2e9967aab9a808ba8048b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fb1de391d2e9967aab9a808ba8048b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 2796 powershell.exe 2176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeTcbPrivilege 1328 8fb1de391d2e9967aab9a808ba8048b0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1804 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 30 PID 2272 wrote to memory of 1804 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 30 PID 2272 wrote to memory of 1804 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 30 PID 2272 wrote to memory of 1804 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 30 PID 2272 wrote to memory of 2736 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 31 PID 2272 wrote to memory of 2736 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 31 PID 2272 wrote to memory of 2736 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 31 PID 2272 wrote to memory of 2736 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 31 PID 2272 wrote to memory of 2836 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 33 PID 2272 wrote to memory of 2836 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 33 PID 2272 wrote to memory of 2836 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 33 PID 2272 wrote to memory of 2836 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 33 PID 2272 wrote to memory of 3012 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 36 PID 2272 wrote to memory of 3012 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 36 PID 2272 wrote to memory of 3012 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 36 PID 2272 wrote to memory of 3012 2272 7fb1de391d2e8956aab8a707ba7047b0N.exe 36 PID 1804 wrote to memory of 2612 1804 cmd.exe 38 PID 1804 wrote to memory of 2612 1804 cmd.exe 38 PID 1804 wrote to memory of 2612 1804 cmd.exe 38 PID 1804 wrote to memory of 2612 1804 cmd.exe 38 PID 2736 wrote to memory of 2740 2736 cmd.exe 37 PID 2736 wrote to memory of 2740 2736 cmd.exe 37 PID 2736 wrote to memory of 2740 2736 cmd.exe 37 PID 2736 wrote to memory of 2740 2736 cmd.exe 37 PID 3012 wrote to memory of 2640 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 39 PID 3012 wrote to memory of 2640 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 39 PID 3012 wrote to memory of 2640 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 39 PID 3012 wrote to memory of 2640 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 39 PID 3012 wrote to memory of 2632 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 40 PID 3012 wrote to memory of 2632 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 40 PID 3012 wrote to memory of 2632 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 40 PID 3012 wrote to memory of 2632 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 40 PID 3012 wrote to memory of 2960 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 42 PID 3012 wrote to memory of 2960 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 42 PID 3012 wrote to memory of 2960 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 42 PID 3012 wrote to memory of 2960 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 42 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 2836 wrote to memory of 2796 2836 cmd.exe 46 PID 2836 wrote to memory of 2796 2836 cmd.exe 46 PID 2836 wrote to memory of 2796 2836 cmd.exe 46 PID 2836 wrote to memory of 2796 2836 cmd.exe 46 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 3012 wrote to memory of 1248 3012 8fb1de391d2e9967aab9a808ba8048b0N.exe 44 PID 2960 wrote to memory of 2176 2960 cmd.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb1de391d2e8956aab8a707ba7047b0N.exe"C:\Users\Admin\AppData\Local\Temp\7fb1de391d2e8956aab8a707ba7047b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exeC:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1248
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0D045029-BF3D-48CE-8357-53E0B5F2863F} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2940
-
C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exeC:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3
Filesize1KB
MD510f5c4e726487eef8d7fdee76f52e845
SHA140b78d975c9616ee28c640c6dc67103dd08088df
SHA2563bcceb9f9cbc0c0d28e05e0e1189e48b26d486c4ca4b56d7d07b07da0e6563ac
SHA51202d4d712606d96f37938b54131d59e621df6abd7e0a79466c9ac14df161a4a24fef5246b86dd63fe7526b92fe589fe679425325b8435210a97ffdce2d4b818f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a6d798ddc77968c377bff04032f8b468
SHA16aa4c092593c2d8784c94f96cf64859858e69770
SHA256c6013d5292a084a3a614a6da2ebf5cc8bb94cefec5e68f21b6455d513325b2f6
SHA512247299a5f694fc43804fbabf2a5225c423428b623c10d4928085823c2b0fd880665452409799ebbde826a20b800ce16f749b41f32a284273741f6c2a7ef01691
-
Filesize
368KB
MD57fb1de391d2e8956aab8a707ba7047b0
SHA1b4596d683f948181068395159cf245d7faf5617a
SHA256e31ace5602fa7c78e8a7c73efded326053a27ee8b94a868e3487c798803d8f3b
SHA51232b7e4773585434eabc057f3af32c08726bf347bac1a3375b87cff22e1b8498b90821f918047778a7e22add83293dcc08d3ccdb8c74ae0a75616f1cd39153305