Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 07:26

General

  • Target

    3800481c130c2671c5e4742cf6e99b00N.exe

  • Size

    368KB

  • MD5

    3800481c130c2671c5e4742cf6e99b00

  • SHA1

    e583eacb665803c63bf96c6924790f9bbed02449

  • SHA256

    2103e44868d587fe3247a09802318e062750471c94793cc56f537e60caf37b01

  • SHA512

    defb5666245d54f5557611b7c56d844191630f02571058c0e7ac35dbb62a47e4e5dcef9d171dbf9cf7c942279188351e3f15d32c6af90a558f71917a8e9657ff

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qp:emSuOcHmnYhrDMTrban4qp

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3800481c130c2671c5e4742cf6e99b00N.exe
    "C:\Users\Admin\AppData\Local\Temp\3800481c130c2671c5e4742cf6e99b00N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2640
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
    • C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
      C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2580
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2472
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2748
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {88790EA7-A38B-4546-BB69-DD6632CB1C6C} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:2448
        • C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
          C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:852
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            3⤵
              PID:2196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172136094-3310281978-782691160-1000\0f5007522459c86e95ffcc62f32308f1_ad67a936-7f42-4f72-a93a-f5bcf669d37e

          Filesize

          1KB

          MD5

          121597a0a19c7667d56e670c0bee0918

          SHA1

          abdf90de4ad3c492da9e8163b03dc840bec3948c

          SHA256

          0409c6f050ed801bc548088ae9bd2ad71cc6cfd520233f14c63c4c27c95233d0

          SHA512

          900bc16b8b5001d471dec17c6ec19c8e8486e6c0de8f577123f44a6c517e4c315f3bd6c3240b1c84f53d45d6630c7d901f35f92d77e18185a97abff386793504

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          efde455a8cdfb46333ace00fce0eda16

          SHA1

          a1490207750ee8d9fdc862f611007c3f0d6f8323

          SHA256

          6b488aace9911d37f900a8d0d3e5db7275c33a2a8ea3ce4274b86670493bea3a

          SHA512

          9cc4581045079779d79fbaafa1046af0417813bcf24e8c7db051ead6eac131f6520a01f556aefb7f6486db3c086953a2a0d43296b78e66d7911eefad7c331d51

        • C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe

          Filesize

          368KB

          MD5

          3800481c130c2671c5e4742cf6e99b00

          SHA1

          e583eacb665803c63bf96c6924790f9bbed02449

          SHA256

          2103e44868d587fe3247a09802318e062750471c94793cc56f537e60caf37b01

          SHA512

          defb5666245d54f5557611b7c56d844191630f02571058c0e7ac35dbb62a47e4e5dcef9d171dbf9cf7c942279188351e3f15d32c6af90a558f71917a8e9657ff

        • memory/2748-17-0x0000000010000000-0x000000001001F000-memory.dmp

          Filesize

          124KB

        • memory/2748-16-0x0000000010000000-0x000000001001F000-memory.dmp

          Filesize

          124KB

        • memory/2748-22-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

        • memory/2964-1-0x0000000000080000-0x00000000000A9000-memory.dmp

          Filesize

          164KB

        • memory/2964-7-0x0000000000080000-0x00000000000A9000-memory.dmp

          Filesize

          164KB

        • memory/3044-10-0x00000000000F0000-0x0000000000119000-memory.dmp

          Filesize

          164KB

        • memory/3044-21-0x00000000000F0000-0x0000000000119000-memory.dmp

          Filesize

          164KB

        • memory/3044-12-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/3044-11-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.