Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 10:11

General

  • Target

    202410020707c8152434894033f9c7bd510ea263mafia.exe

  • Size

    489KB

  • MD5

    0707c8152434894033f9c7bd510ea263

  • SHA1

    724a1116754c9621c90e2b2fad5e3b9a1abfa654

  • SHA256

    65e911bc06a1f324cafb964e2a29cbfd37226a0d502c4ddcc846f22221fba0bf

  • SHA512

    6ea7a6a2658112cc096f9039e07e26eb07aabac28ad1b64773cea542652058be015ca3381e297e9d928f296387aa5c067a05f06d7fd6fe1138a9de0c33a3c72d

  • SSDEEP

    6144:V6ZlxMlN8qVY0rmGdW5boVMd3AqEiAqqhYOtRF5498DF06YjnU9ZEFv:k94vY0rPd4boQAqPGRRFK9e06BHEFv

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot154

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:4480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/824-0-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/824-1-0x00000000007F0000-0x0000000000878000-memory.dmp

      Filesize

      544KB

    • memory/824-3-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

    • memory/824-2-0x0000000000590000-0x0000000000591000-memory.dmp

      Filesize

      4KB

    • memory/824-6-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/824-7-0x00000000007F0000-0x0000000000878000-memory.dmp

      Filesize

      544KB

    • memory/824-8-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/1488-5-0x0000024CBB360000-0x0000024CBB361000-memory.dmp

      Filesize

      4KB

    • memory/1488-4-0x0000024CBB1D0000-0x0000024CBB1F9000-memory.dmp

      Filesize

      164KB

    • memory/1488-9-0x0000024CBB1D0000-0x0000024CBB1F9000-memory.dmp

      Filesize

      164KB