Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 17:36
General
-
Target
68a34973ae0a7bebdd8415ae1a79296d05c69f6aeed8fc90b21fe3a1fde5687b.exe
-
Size
110KB
-
MD5
595b19e7618a77ecd00034182c74b0e4
-
SHA1
c5afa94c84a733dbd86edd2061614946aa9cfb19
-
SHA256
68a34973ae0a7bebdd8415ae1a79296d05c69f6aeed8fc90b21fe3a1fde5687b
-
SHA512
029a5bef5c5158b33a3eb025782abb3cddeb53223cb80f1fe38fda5e14c0831bf0524fb6ce66aab6cd1f756c10c0c0f20642245a07b073c788bdb7cca33061d2
-
SSDEEP
3072:wUJC1DZYjcOBmn9nK3lhK7kgB9DTfd+5SEsVoSfR:zIDZ6cOBkE3bKzB9DTV+mV
Malware Config
Extracted
trickbot
1000488
sat68
185.62.189.132:443
5.2.72.84:443
193.37.213.110:443
85.143.220.41:443
5.34.177.50:443
172.82.152.130:443
146.185.253.132:443
107.172.29.108:443
107.172.208.51:443
212.124.117.25:443
64.44.133.151:443
146.185.219.94:443
185.66.13.65:443
194.99.22.48:443
194.5.250.35:443
167.86.123.83:443
107.181.187.221:443
103.219.213.102:449
117.255.221.135:449
189.28.185.50:449
-
autorunName:pwgrab
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
Executes dropped EXE 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a34973ae0a7bebdd8415ae1a79296d05c69f6aeed8fc90b21fe3a1fde5687b.exe"C:\Users\Admin\AppData\Local\Temp\68a34973ae0a7bebdd8415ae1a79296d05c69f6aeed8fc90b21fe3a1fde5687b.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\taskeng.exetaskeng.exe {BC57BEAE-AF0D-45F1-BF31-DD67B0DDC5BE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\syshealth\88a34993ae0a9bebdd8417ae1a99298d07c89f8aeed8fc90b21fe3a1fde7889b.exeC:\Users\Admin\AppData\Roaming\syshealth\88a34993ae0a9bebdd8417ae1a99298d07c89f8aeed8fc90b21fe3a1fde7889b.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD5595b19e7618a77ecd00034182c74b0e4
SHA1c5afa94c84a733dbd86edd2061614946aa9cfb19
SHA25668a34973ae0a7bebdd8415ae1a79296d05c69f6aeed8fc90b21fe3a1fde5687b
SHA512029a5bef5c5158b33a3eb025782abb3cddeb53223cb80f1fe38fda5e14c0831bf0524fb6ce66aab6cd1f756c10c0c0f20642245a07b073c788bdb7cca33061d2