Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 20:18
Static task
static1
Behavioral task
behavioral1
Sample
e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe
Resource
win7-20240903-en
General
-
Target
e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe
-
Size
368KB
-
MD5
d36d0936fd909e33e20adbc0bfc9c310
-
SHA1
d209e0cce8ea12e6d04c5ca30d6bc7395ebbc78a
-
SHA256
e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382
-
SHA512
c6f9503afe245b777ad99a00b67173958210b76a900c05c04e09c668e707010508e97860a25695cbc08bd03cbc55e53085c920c09c3a41483d92546dade99a66
-
SSDEEP
6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qo:emSuOcHmnYhrDMTrban4qo
Malware Config
Signatures
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/3432-1-0x0000000000C30000-0x0000000000C59000-memory.dmp trickbot_loader32 behavioral2/memory/3432-8-0x0000000000C30000-0x0000000000C59000-memory.dmp trickbot_loader32 behavioral2/memory/732-9-0x0000000000640000-0x0000000000669000-memory.dmp trickbot_loader32 behavioral2/memory/732-24-0x0000000000640000-0x0000000000669000-memory.dmp trickbot_loader32 behavioral2/memory/1748-28-0x0000000001AF0000-0x0000000001B19000-memory.dmp trickbot_loader32 behavioral2/memory/1748-42-0x0000000001AF0000-0x0000000001B19000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3432 wrote to memory of 732 3432 e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe 82 PID 3432 wrote to memory of 732 3432 e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe 82 PID 3432 wrote to memory of 732 3432 e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe 82 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 732 wrote to memory of 3712 732 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 83 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 PID 1748 wrote to memory of 3328 1748 e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe"C:\Users\Admin\AppData\Local\Temp\e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exeC:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3712
-
-
-
C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exeC:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3328
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request31.243.111.52.in-addr.arpaIN PTRResponse
-
132 B 90 B 2 1
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
232.168.11.51.in-addr.arpa
DNS Request
232.168.11.51.in-addr.arpa
-
148 B 128 B 2 1
DNS Request
172.210.232.199.in-addr.arpa
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
31.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee
Filesize1KB
MD572bf676cd777b276cc94134c1084705f
SHA1b28c19bffa529e935c80d9aecf778ab8bda2dade
SHA256d45e7d0432f5aa831108771c00efcea89ec193728449ffd8fb2de885f421db91
SHA5125b39ae19e80fcdb0c513ceadbeabcd9b5ffea5fb2d821e3df43898fda16bb1a9c4ce103774242a4443d80b58fb204d7bff3c85f3f982bde29cb091d045ec5eb4
-
C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe
Filesize368KB
MD5d36d0936fd909e33e20adbc0bfc9c310
SHA1d209e0cce8ea12e6d04c5ca30d6bc7395ebbc78a
SHA256e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382
SHA512c6f9503afe245b777ad99a00b67173958210b76a900c05c04e09c668e707010508e97860a25695cbc08bd03cbc55e53085c920c09c3a41483d92546dade99a66