Analysis

  • max time kernel
    112s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 20:18

General

  • Target

    e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe

  • Size

    368KB

  • MD5

    d36d0936fd909e33e20adbc0bfc9c310

  • SHA1

    d209e0cce8ea12e6d04c5ca30d6bc7395ebbc78a

  • SHA256

    e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382

  • SHA512

    c6f9503afe245b777ad99a00b67173958210b76a900c05c04e09c668e707010508e97860a25695cbc08bd03cbc55e53085c920c09c3a41483d92546dade99a66

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qo:emSuOcHmnYhrDMTrban4qo

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe
    "C:\Users\Admin\AppData\Local\Temp\e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe
      C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3712
    • C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe
      C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3328

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        67.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.134.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.134.221.88.in-addr.arpa
        IN PTR
        Response
        18.134.221.88.in-addr.arpa
        IN PTR
        a88-221-134-18deploystaticakamaitechnologiescom
      • flag-us
        DNS
        25.140.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        25.140.123.92.in-addr.arpa
        IN PTR
        Response
        25.140.123.92.in-addr.arpa
        IN PTR
        a92-123-140-25deploystaticakamaitechnologiescom
      • flag-us
        DNS
        31.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.243.111.52.in-addr.arpa
        IN PTR
        Response
      • 24.247.182.240:449
        svchost.exe
        260 B
        5
      • 24.247.182.240:449
        svchost.exe
        208 B
        4
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        132 B
        90 B
        2
        1

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        144 B
        158 B
        2
        1

        DNS Request

        232.168.11.51.in-addr.arpa

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        148 B
        128 B
        2
        1

        DNS Request

        172.210.232.199.in-addr.arpa

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        67.31.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        67.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        18.134.221.88.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        18.134.221.88.in-addr.arpa

      • 8.8.8.8:53
        25.140.123.92.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        25.140.123.92.in-addr.arpa

      • 8.8.8.8:53
        31.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        31.243.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee

        Filesize

        1KB

        MD5

        72bf676cd777b276cc94134c1084705f

        SHA1

        b28c19bffa529e935c80d9aecf778ab8bda2dade

        SHA256

        d45e7d0432f5aa831108771c00efcea89ec193728449ffd8fb2de885f421db91

        SHA512

        5b39ae19e80fcdb0c513ceadbeabcd9b5ffea5fb2d821e3df43898fda16bb1a9c4ce103774242a4443d80b58fb204d7bff3c85f3f982bde29cb091d045ec5eb4

      • C:\Users\Admin\AppData\Roaming\WNetval\e9e6240932ab7f17d4e7612dbecb2a026313f9611c719a0e2c97807dde3b6392N.exe

        Filesize

        368KB

        MD5

        d36d0936fd909e33e20adbc0bfc9c310

        SHA1

        d209e0cce8ea12e6d04c5ca30d6bc7395ebbc78a

        SHA256

        e8e5240832ab6f16d4e6512dbecb2a025313f8511c619a0e2c96706dde3b5382

        SHA512

        c6f9503afe245b777ad99a00b67173958210b76a900c05c04e09c668e707010508e97860a25695cbc08bd03cbc55e53085c920c09c3a41483d92546dade99a66

      • memory/732-23-0x0000000002680000-0x0000000002949000-memory.dmp

        Filesize

        2.8MB

      • memory/732-24-0x0000000000640000-0x0000000000669000-memory.dmp

        Filesize

        164KB

      • memory/732-9-0x0000000000640000-0x0000000000669000-memory.dmp

        Filesize

        164KB

      • memory/732-11-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

      • memory/732-10-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

      • memory/732-15-0x0000000000700000-0x0000000000701000-memory.dmp

        Filesize

        4KB

      • memory/732-22-0x0000000000AC0000-0x0000000000B7E000-memory.dmp

        Filesize

        760KB

      • memory/1748-28-0x0000000001AF0000-0x0000000001B19000-memory.dmp

        Filesize

        164KB

      • memory/1748-34-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

        Filesize

        4KB

      • memory/1748-40-0x0000000002000000-0x00000000020BE000-memory.dmp

        Filesize

        760KB

      • memory/1748-41-0x00000000020C0000-0x0000000002389000-memory.dmp

        Filesize

        2.8MB

      • memory/1748-42-0x0000000001AF0000-0x0000000001B19000-memory.dmp

        Filesize

        164KB

      • memory/3328-44-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

      • memory/3432-8-0x0000000000C30000-0x0000000000C59000-memory.dmp

        Filesize

        164KB

      • memory/3432-1-0x0000000000C30000-0x0000000000C59000-memory.dmp

        Filesize

        164KB

      • memory/3712-17-0x0000022CE1A90000-0x0000022CE1A91000-memory.dmp

        Filesize

        4KB

      • memory/3712-16-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.