trickbot | baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca

Analysis

max time kernel
69s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 14:32

Target

baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe
Size

422KB
MD5

2fa5b98de882a2c9015efdcfdd88be65
SHA1

0a454b220eea65bd757acb937c0ed2e745e148fd
SHA256

baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca
SHA512

9e3a5483acaf0cb97eff62fad04c8c6887a1e660af6e54f18304dd9905d9dd4f601f1df016840a438f1c85cfc260537c562d0def99159082cf525d93456f3b66

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4228-132-0x0000000000680000-0x0000000000689000-memory.dmp	trickbot_loader32
behavioral2/memory/4228-134-0x0000000000680000-0x0000000000689000-memory.dmp	trickbot_loader32

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

5044 powershell.exe
5044 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5044 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe

pid process

4228 baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe

pid	process
5044	powershell.exe
5044	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5044	powershell.exe

pid	process
4228	baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.execmd.exe

description	pid	process	target process
PID 4228 wrote to memory of 4224	4228	baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe	cmd.exe
PID 4228 wrote to memory of 4224	4228	baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe	cmd.exe
PID 4228 wrote to memory of 4224	4228	baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe	cmd.exe
PID 4224 wrote to memory of 5044	4224	cmd.exe	powershell.exe
PID 4224 wrote to memory of 5044	4224	cmd.exe	powershell.exe
PID 4224 wrote to memory of 5044	4224	cmd.exe	powershell.exe

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\baa80c291a9fbc8c5d70a0183385bed0b90d2792b8e5130cd399237d364c1fca.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

memory/4224-133-0x0000000000000000-mapping.dmp

Download
memory/4228-132-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/4228-134-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/5044-138-0x0000000004950000-0x0000000004972000-memory.dmp

Filesize
136KB

Download
memory/5044-136-0x0000000002120000-0x0000000002156000-memory.dmp

Filesize
216KB

Download
memory/5044-137-0x0000000004C80000-0x00000000052A8000-memory.dmp

Filesize
6.2MB

Download
memory/5044-135-0x0000000000000000-mapping.dmp

Download
memory/5044-139-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/5044-140-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/5044-141-0x0000000005A20000-0x0000000005A3E000-memory.dmp

Filesize
120KB

Download
memory/5044-142-0x0000000007150000-0x00000000077CA000-memory.dmp

Filesize
6.5MB

Download
memory/5044-143-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/5044-144-0x0000000006CD0000-0x0000000006D66000-memory.dmp

Filesize
600KB

Download
memory/5044-145-0x0000000006C60000-0x0000000006C82000-memory.dmp

Filesize
136KB

Download
memory/5044-146-0x0000000007D80000-0x0000000008324000-memory.dmp

Filesize
5.6MB

Download