Overview

overview

10

Static

static

10

Malware-1-...30.exe

windows10-ltsc 2021-x64

10

Malware-1-...40.exe

windows10-ltsc 2021-x64

10

Malware-1-...32.exe

windows10-ltsc 2021-x64

10

Malware-1-.../5.exe

windows10-ltsc 2021-x64

10

Malware-1-...91.exe

windows10-ltsc 2021-x64

10

Malware-1-...ey.exe

windows10-ltsc 2021-x64

7

Malware-1-...ad.exe

windows10-ltsc 2021-x64

3

Malware-1-...ti.exe

windows10-ltsc 2021-x64

5

Malware-1-...an.bat

windows10-ltsc 2021-x64

7

Malware-1-...an.exe

windows10-ltsc 2021-x64

7

Malware-1-...ve.bat

windows10-ltsc 2021-x64

7

Malware-1-...ve.exe

windows10-ltsc 2021-x64

7

Malware-1-...ya.exe

windows10-ltsc 2021-x64

Malware-1-...re.exe

windows10-ltsc 2021-x64

10

Malware-1-...ry.exe

windows10-ltsc 2021-x64

10

Malware-1-...ck.exe

windows10-ltsc 2021-x64

3

Malware-1-...he.exe

windows10-ltsc 2021-x64

10

Malware-1-...op.exe

windows10-ltsc 2021-x64

7

Malware-1-...rb.exe

windows10-ltsc 2021-x64

10

Malware-1-...ue.exe

windows10-ltsc 2021-x64

1

Malware-1-...ng.exe

windows10-ltsc 2021-x64

6

Malware-1-...kt.bat

windows10-ltsc 2021-x64

7

Malware-1-...o3.exe

windows10-ltsc 2021-x64

10

Malware-1-...ey.exe

windows10-ltsc 2021-x64

10

Malware-1-.../m.exe

windows10-ltsc 2021-x64

Malware-1-...o3.exe

windows10-ltsc 2021-x64

9

Malware-1-...32.exe

windows10-ltsc 2021-x64

10

Malware-1-...nf.exe

windows10-ltsc 2021-x64

10

Malware-1-.../o.exe

windows10-ltsc 2021-x64

3

Malware-1-...B8.exe

windows10-ltsc 2021-x64

10

Malware-1-...ic.exe

windows10-ltsc 2021-x64

3

Malware-1-...in.exe

windows10-ltsc 2021-x64

10

Resubmissions

13/02/2025, 01:26

250213-btppra1pcz 10

17/01/2025, 20:14

250117-yz7h3s1qfw 10

17/01/2025, 20:12

250117-yy9l2sslcr 10

17/01/2025, 17:25

250117-vy9p9sxpez 10

17/01/2025, 17:21

250117-vw8eesyjfp 10

17/01/2025, 14:16

250117-rk9ass1rhk 10

17/01/2025, 14:12

250117-rhv1ds1lds 10

16/01/2025, 12:52

250116-p4et7a1mez 10

Analysis

  • max time kernel
    130s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/01/2025, 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware-1-master/youwin.exe

  • Size

    379KB

  • MD5

    c3f3773a596db65c6491b578db621c45

  • SHA1

    ba5529fe2d6648ebfa93c17145f5570f448e1111

  • SHA256

    dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

  • SHA512

    8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

  • SSDEEP

    6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4

Score
10/10
trickbotsun10bankerdiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000312

Botnet

sun10

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

109.234.38.220:443

24.247.182.29:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    evasiontrojan
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot family
    trickbot
  • Trickbot x86 loader 2 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"
    1⤵
    • Modifies Windows Defender notification settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2096
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4596
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
    • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      2⤵
      • Modifies Windows Defender notification settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:852
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3716
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:688
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1224
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:3256
        • C:\Windows\SYSTEM32\regini.exe
          regini C:\Users\Admin\AppData\Local\Temp\tmp051
          4⤵
            PID:4580
          • C:\Windows\SYSTEM32\regini.exe
            regini C:\Users\Admin\AppData\Local\Temp\tmp051
            4⤵
              PID:4924

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        f9349064c7c8f8467cc12d78a462e5f9

        SHA1

        5e1d27fc64751cd8c0e9448ee47741da588b3484

        SHA256

        883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

        SHA512

        3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        21KB

        MD5

        8e7a3fdff61a5abda83147c9a60fa0a6

        SHA1

        8808acca915a2bcff6f9b62e465c4209f7a25cb2

        SHA256

        dd81cbdff8fea56f553df228ee6578dcaf0256117ff2c0babe75ddb0a68c44f1

        SHA512

        8e95f057c35178635c9f2f4c8150b6ed3b16c0514b9ba3e8ac4bb8e2ad0fc5962c3a43e4d548ed8f9a1f9b3a279dae786cd7c1845b5a41b6234132b01fbb8925

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aytxqua3.j2e.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        e4bcd320585af9f77671cc6e91fe9de6

        SHA1

        15f12439eb3e133affb37b29e41e57d89fc90e06

        SHA256

        a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

        SHA512

        00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        58b2f90cc0182925ae0bab51700b14ab

        SHA1

        d2975adeb8dc68f2f5e10edee524de78e79828db

        SHA256

        8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

        SHA512

        de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2826969134-2088669430-2680400721-1000\0f5007522459c86e95ffcc62f32308f1_c34e6206-9fd0-4ef0-894c-26264c205565
        Filesize

        1KB

        MD5

        70de24be45fd0abe97bd4ed318f1847d

        SHA1

        ec0808c4eefc0742b36bb85dd73cb7e40c60e32b

        SHA256

        44c58e96684ff93ef7df340f134ca96ca691d5c2e5e22e26ebb30c0c58a180e3

        SHA512

        f2d27af37515eb95849a3b8246b217d6733aabfbabdea3d95bbebf76c36cde1f2e966e709fb39d5d27c4b71a5099f29428a23b006efbd2f127204faea33f21ea

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
        Filesize

        379KB

        MD5

        c3f3773a596db65c6491b578db621c45

        SHA1

        ba5529fe2d6648ebfa93c17145f5570f448e1111

        SHA256

        dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

        SHA512

        8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

        Download Submit

      • memory/1224-79-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1224-73-0x0000000005870000-0x0000000005BC7000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1224-83-0x0000000070A10000-0x0000000070A5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1224-93-0x00000000070C0000-0x0000000007163000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2552-30-0x00000000709E0000-0x0000000070A2C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2552-43-0x0000000074100000-0x00000000748B1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2552-25-0x0000000005A20000-0x0000000005D77000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2552-26-0x0000000005E80000-0x0000000005E9E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2552-27-0x0000000006310000-0x000000000635C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2552-28-0x0000000074100000-0x00000000748B1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2552-29-0x00000000070D0000-0x0000000007102000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2552-13-0x00000000058B0000-0x0000000005916000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2552-40-0x00000000064C0000-0x00000000064DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2552-42-0x0000000074100000-0x00000000748B1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2552-41-0x0000000007110000-0x00000000071B3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2552-10-0x0000000005100000-0x00000000057CA000-memory.dmp

        Filesize

        6.8MB

        Download

      • memory/2552-45-0x00000000071F0000-0x000000000720A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-44-0x0000000007840000-0x0000000007EBA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2552-46-0x0000000007250000-0x000000000725A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2552-47-0x0000000007450000-0x00000000074E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2552-50-0x0000000074100000-0x00000000748B1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2552-7-0x000000007410E000-0x000000007410F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2552-11-0x0000000005040000-0x0000000005062000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2552-8-0x00000000024D0000-0x0000000002506000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2552-9-0x0000000074100000-0x00000000748B1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2552-12-0x00000000057D0000-0x0000000005836000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2672-81-0x0000000002990000-0x0000000002A4D000-memory.dmp

        Filesize

        756KB

        Download

      • memory/2672-82-0x0000000002A50000-0x0000000002D46000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2672-56-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2672-57-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2672-51-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/2672-80-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3256-61-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3256-60-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3256-100-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4952-0-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/4952-24-0x00000000007C0000-0x0000000000800000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4952-23-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/4952-5-0x00000000007C0000-0x0000000000800000-memory.dmp

        Filesize

        256KB

        Download