File name:	lastimg.png
Full analysis:	https://app.any.run/tasks/a404c762-4bc6-4b68-9535-e5a44d57fd65
Verdict:	Malicious activity
Threats:	TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 06, 2019, 23:21:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trickbot trojan opendir
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BF99FDB53B187D22B7C21EAB64562F44
SHA1:	6FC79E06E451BEE089E5AC2142D11C6C94B81B90
SHA256:	F0542BFB8AB680E87F618EACD723EE750DCC6413E1C5D43221417E90D747376E
SSDEEP:	6144:4Yg+Xv9HYuh6gSN70FvEZnETbszx8KfL6t0V7VdZBV0gug3mgwxp:bfFh6gakwOlKfLK0Vv/0gWgw

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:09:11 12:53:09+02:00
PEType:	PE32
LinkerVersion:	7
CodeSize:	225280
InitializedDataSize:	270336
UninitializedDataSize:	-
EntryPoint:	0x5edd
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	11-Sep-2019 10:53:09
Detected languages:	English - United States

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	11-Sep-2019 10:53:09
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003615C	0x00037000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.53557
.rdata	0x00038000	0x0000D602	0x0000E000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.56563
.data	0x00046000	0x000060B4	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.97113
.rsrc	0x0004D000	0x0002CFB8	0x0002D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.9915

Title	Entropy	Size	Codepage	Language	Type
1	2.61023	744	UNKNOWN	English - United States	RT_ICON
103	3.06118	200	UNKNOWN	English - United States	RT_DIALOG
130	2.16096	20	UNKNOWN	English - United States	RT_GROUP_ICON
131	3.50732	1358	UNKNOWN	English - United States	RT_DIALOG
444	7.99893	181572	UNKNOWN	UNKNOWN	RT_RCDATA

PID	CMD	Path	Indicators	Parent process
2116	"C:\Users\admin\AppData\Local\Temp\lastimg.png.exe"	C:\Users\admin\AppData\Local\Temp\lastimg.png.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
340	C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}	C:\Windows\SysWOW64\DllHost.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2404	"C:\Users\admin\AppData\Roaming\speedlink\nautiog.exe"	C:\Users\admin\AppData\Roaming\speedlink\nautiog.exe	—	DllHost.exe
User: admin Integrity Level: HIGH Exit code: 0
2036	C:\Windows\system32\svchost.exe	C:\Windows\system32\svchost.exe	—	nautiog.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2188	C:\Users\admin\AppData\Roaming\speedlink\nautiog.exe	C:\Users\admin\AppData\Roaming\speedlink\nautiog.exe	—	taskeng.exe
User: SYSTEM Integrity Level: SYSTEM Exit code: 0
2936	C:\Windows\system32\svchost.exe	C:\Windows\system32\svchost.exe		nautiog.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255)


(PID) Process:	(340) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(340) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(340) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(340) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2936) svchost.exe	Key:	HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\12F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINSPOOL.DRV

PID	Process	Filename		Type
2936	svchost.exe	C:\Windows\TEMP\CabC50D.tmp		—
		MD5:—	SHA256:—
2936	svchost.exe	C:\Windows\TEMP\TarC50E.tmp		—
		MD5:—	SHA256:—
2936	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:F52B898349C623BDA088F81D944E64B1	SHA256:A71BB758CFB7099E835FF6587193DED75201AC800DA161A9A0762117ED2F2227
2936	svchost.exe	C:\Users\admin\AppData\Roaming\speedlink\settings.ini		text
		MD5:448EE1ABF3369CBC22B7F8DF3106B283	SHA256:EEC98824914135C260F4C42F6F57E0D08CEDF3743C0C01E2CA58EA46BD52AF56
2116	lastimg.png.exe	C:\Users\admin\AppData\Roaming\speedlink\nautiog.exe		executable
		MD5:BF99FDB53B187D22B7C21EAB64562F44	SHA256:F0542BFB8AB680E87F618EACD723EE750DCC6413E1C5D43221417E90D747376E
2936	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A		binary
		MD5:601AC65F7D2937BBA0A5CCEE368266A8	SHA256:DF10B94A8908AD25A88F9E0FFF5E1737F2E21353D427EF68F3C1E9046B0C2040
2936	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:5AD071A3917588E8CD883B123B395B21	SHA256:DE62965C15528DA598B0079D2D20D953DD6F71B13A23807BFF0666D03F69C0FA
2936	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A		cat
		MD5:D4AE187B4574036C2D76B6DF8A8C1A30	SHA256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2936	svchost.exe	GET	200	192.35.177.64:80	http://apps.identrust.com/roots/dstrootcax3.p7c	US	cat	893 b	shared
2936	svchost.exe	GET	200	8.248.117.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0e852f53e72eacff	US	compressed	57.4 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2936	svchost.exe	176.58.123.25:443	ident.me	Linode, LLC	GB	suspicious
2936	svchost.exe	8.248.117.254:80	ctldl.windowsupdate.com	Level 3 Communications, Inc.	US	malicious
2936	svchost.exe	190.214.13.2:449	—	CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP	EC	malicious
2936	svchost.exe	192.35.177.64:80	apps.identrust.com	IdenTrust	US	malicious

Domain	IP	Reputation
ctldl.windowsupdate.com	8.248.117.254 67.26.83.254 67.27.157.254 67.27.159.254 67.27.158.126	whitelisted
ident.me	176.58.123.25	shared
apps.identrust.com	192.35.177.64	shared

PID	Process	Class	Message
2936	svchost.exe	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 12
2936	svchost.exe	Not Suspicious Traffic	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2936	svchost.exe	Potential Corporate Privacy Violation	ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me)

General Info

lastimg.png

BF99FDB53B187D22B7C21EAB64562F44

6FC79E06E451BEE089E5AC2142D11C6C94B81B90

F0542BFB8AB680E87F618EACD723EE750DCC6413E1C5D43221417E90D747376E

6144:4Yg+Xv9HYuh6gSN70FvEZnETbszx8KfL6t0V7VdZBV0gug3mgwxp:bfFh6gakwOlKfLK0Vv/0gWgw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TRICKBOT was detected

Known privilege escalation attack

Uses SVCHOST.EXE for hidden code execution

Loads the Task Scheduler COM API

Connects to CnC server

SUSPICIOUS

Executed via COM

Executable content was dropped or overwritten

Creates files in the user directory

Executed via Task Scheduler

Removes files from Windows directory

Connects to unusual port

Creates files in the Windows directory

Reads the machine GUID from the registry

INFO

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings