| File name: | b11c4792645e89d8170a81f592fb5be7 |
| Full analysis: | https://app.any.run/tasks/b77f2e11-5ebb-45eb-a078-7aa35c8927db |
| Verdict: | Malicious activity |
| Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
| Analysis date: | August 13, 2019, 17:15:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B11C4792645E89D8170A81F592FB5BE7 |
| SHA1: | 9AEA359B5E7C61FC5CFC2538A3DD91634B410028 |
| SHA256: | F4A68691FCFDFF7564E9B992E158B6552FC589B645E205FCE03428C0E5A86962 |
| SSDEEP: | 6144:HmHpPhyzn7nIXrBYE+zXESocp02CqJQHLgUCjnJx:YpkHWYE+zj2lloJ |
MALICIOUS
TRICKBOT was detected
- b11c4792645e89d8170a81f592fb5be7.exe (PID: 2080)
Loads the Task Scheduler COM API
- b11c4792645e89d8170a81f592fb5be7.exe (PID: 2080)
Stops/Deletes Windows Defender service via SC.exe
- cmd.exe (PID: 1848)
- cmd.exe (PID: 3604)
- cmd.exe (PID: 3048)
- cmd.exe (PID: 3040)
SUSPICIOUS
Starts CMD.EXE for commands execution
- b11c4792645e89d8170a81f592fb5be7.exe (PID: 2080)
- b11c4992847e89d8190a81f792fb7be9.exe (PID: 3460)
Executes PowerShell scripts
- cmd.exe (PID: 768)
- cmd.exe (PID: 3136)
Creates files in the user directory
- powershell.exe (PID: 3112)
- b11c4792645e89d8170a81f592fb5be7.exe (PID: 2080)
- powershell.exe (PID: 4020)
Executable content was dropped or overwritten
- b11c4792645e89d8170a81f592fb5be7.exe (PID: 2080)
Executed via Task Scheduler
- b11c4992847e89d8190a81f792fb7be9.exe (PID: 3460)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:06:25 11:15:40+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 8704 |
| InitializedDataSize: | 430080 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2a47 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.1.7601.17514 |
| ProductVersionNumber: | 6.1.7601.17514 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Performance Center |
| FileVersion: | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName: | PERFCENTER |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | PERFCENTER.DLL |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 6.1.7601.17514 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 25-Jun-2019 09:15:40 |
| Detected languages: |
|
| Debug artifacts: |
|
| CompanyName: | Microsoft Corporation |
| FileDescription: | Performance Center |
| FileVersion: | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName: | PERFCENTER |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFilename: | PERFCENTER.DLL |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 6.1.7601.17514 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000E8 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 4 |
| Time date stamp: | 25-Jun-2019 09:15:40 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x00002154 | 0x00002200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.19072 |
.rdata | 0x00004000 | 0x0003972E | 0x00039800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.05877 |
.data | 0x0003E000 | 0x00000744 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.808058 |
.rsrc | 0x0003F000 | 0x0002F532 | 0x0002F600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.86989 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.0207 | 598 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.36893 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 3.4062 | 38056 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 3.29761 | 21640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 2.69926 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 3.70863 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 3.23128 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 4.20048 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 3.8927 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
10 | 2.38206 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
Imports
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
MSVCP90.dll |
MSVCR90.dll |
USER32.dll |
Total processes
54
Monitored processes
14
Malicious processes
2
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | sc stop WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 768 | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\system32\cmd.exe | — | b11c4792645e89d8170a81f592fb5be7.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1848 | /c sc stop WinDefend | C:\Windows\system32\cmd.exe | — | b11c4992847e89d8190a81f792fb7be9.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2080 | "C:\Users\admin\Desktop\b11c4792645e89d8170a81f592fb5be7.exe" | C:\Users\admin\Desktop\b11c4792645e89d8170a81f592fb5be7.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Performance Center Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2100 | sc delete WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2632 | sc delete WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3040 | /c sc delete WinDefend | C:\Windows\system32\cmd.exe | — | b11c4792645e89d8170a81f592fb5be7.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3048 | /c sc stop WinDefend | C:\Windows\system32\cmd.exe | — | b11c4792645e89d8170a81f592fb5be7.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3112 | powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3136 | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\system32\cmd.exe | — | b11c4992847e89d8190a81f792fb7be9.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
458
Read events
348
Write events
110
Delete events
0
Modification events
| (PID) Process: | (3112) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4020) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
1
Suspicious files
6
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ID5ZGICWTBCYFC9SBO.temp | — | |
MD5:— | SHA256:— | |||
| 4020 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9BYTMWDDT8QTZYU65HP.temp | — | |
MD5:— | SHA256:— | |||
| 3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF36ef0c.TMP | binary | |
MD5:— | SHA256:— | |||
| 2080 | b11c4792645e89d8170a81f592fb5be7.exe | C:\Users\admin\AppData\Roaming\MsNetMnu\b11c4992847e89d8190a81f792fb7be9.exe | executable | |
MD5:— | SHA256:— | |||
| 3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 4020 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 4020 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF37ed81.TMP | binary | |
MD5:— | SHA256:— | |||
| 2080 | b11c4792645e89d8170a81f592fb5be7.exe | C:\Users\admin\AppData\Roaming\MsNetMnu\SiteSecurityServiceState.txt | text | |
MD5:— | SHA256:— | |||
| 2080 | b11c4792645e89d8170a81f592fb5be7.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:— | SHA256:— | |||
| 3460 | b11c4992847e89d8190a81f792fb7be9.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2080 | b11c4792645e89d8170a81f592fb5be7.exe | 37.230.117.170:443 | — | JSC ISPsystem | RU | unknown |