Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 09:20

General

  • Target

    123.exe

  • Size

    676KB

  • MD5

    ab0942e4e1a30a52eb28a2338cfc9eb7

  • SHA1

    05b153cea47c2f9ee31d645d967ad54eb50ef9a9

  • SHA256

    b465cb3eec5644b9e0898bff7cf05a28f131394acfd5674d55c78813ca9b111c

  • SHA512

    fc6579402efbc49ca3d33b3a1de20d72387a4236ef494f447095410f47225d5be9d3463b23de411c4f357e84e1d205cdd0c0a2328f693353e16385b0e9aa81ce

  • SSDEEP

    12288:FacEfn98kB7xGEHuNACiMFL6hwsrwacEAf9n4vUDRtILD+lD7:Ic8n3fhhwGctnRYalP

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

mor124

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-3-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-4-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-14-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-13-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-12-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-11-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-10-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-9-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-8-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-7-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-6-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-5-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-15-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

  • memory/432-16-0x000000000042C000-0x000000000042D000-memory.dmp

    Filesize

    4KB

  • memory/432-18-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/432-17-0x0000000003260000-0x0000000003293000-memory.dmp

    Filesize

    204KB

  • memory/3284-42-0x00000266DEA30000-0x00000266DEA57000-memory.dmp

    Filesize

    156KB

  • memory/3284-43-0x00000266DECD0000-0x00000266DECD1000-memory.dmp

    Filesize

    4KB

  • memory/3284-44-0x00000266DEA30000-0x00000266DEA57000-memory.dmp

    Filesize

    156KB