trickbot | b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

Analysis

max time kernel
148s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe
Size

268KB
MD5

d45995955d4daa70aca8cd90cc44b836
SHA1

f8a110db571ae02c02ea709a133c34ab16f7be44
SHA256

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04
SHA512

53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2204-130-0x0000000002300000-0x0000000002330000-memory.dmp	trickbot_loader32
behavioral2/memory/2204-132-0x00000000021A0000-0x00000000021CE000-memory.dmp	trickbot_loader32
behavioral2/memory/2204-133-0x0000000002301000-0x000000000232F000-memory.dmp	trickbot_loader32
behavioral2/memory/2204-135-0x0000000002301000-0x000000000232F000-memory.dmp	trickbot_loader32
behavioral2/memory/372-142-0x0000000000551000-0x000000000057F000-memory.dmp	trickbot_loader32
behavioral2/memory/372-144-0x0000000000551000-0x000000000057F000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

pid process

372 b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1556 svchost.exe

pid	process
372	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

description	pid	process
Token: SeTcbPrivilege	1556	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exeb20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

description	pid	process	target process
PID 2204 wrote to memory of 176	2204	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 2204 wrote to memory of 176	2204	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 2204 wrote to memory of 176	2204	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 2204 wrote to memory of 176	2204	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 372 wrote to memory of 1556	372	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 372 wrote to memory of 1556	372	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 372 wrote to memory of 1556	372	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 372 wrote to memory of 1556	372	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe
"C:\Users\Admin\AppData\Local\Temp\b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:176

C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Filesize
268KB

MD5
d45995955d4daa70aca8cd90cc44b836

SHA1
f8a110db571ae02c02ea709a133c34ab16f7be44

SHA256
b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

SHA512
53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Download Submit
C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Filesize
268KB

MD5
d45995955d4daa70aca8cd90cc44b836

SHA1
f8a110db571ae02c02ea709a133c34ab16f7be44

SHA256
b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

SHA512
53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Download Submit
memory/176-137-0x0000018D90AB0000-0x0000018D90AD0000-memory.dmp

Filesize
128KB

Download
memory/176-134-0x0000000000000000-mapping.dmp

Download
memory/176-136-0x0000018D90AB0000-0x0000018D90AD0000-memory.dmp

Filesize
128KB

Download
memory/372-142-0x0000000000551000-0x000000000057F000-memory.dmp

Filesize
184KB

Download
memory/372-144-0x0000000000551000-0x000000000057F000-memory.dmp

Filesize
184KB

Download
memory/372-145-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1556-143-0x0000000000000000-mapping.dmp

Download
memory/1556-146-0x000001F545330000-0x000001F545350000-memory.dmp

Filesize
128KB

Download
memory/1556-147-0x000001F545330000-0x000001F545350000-memory.dmp

Filesize
128KB

Download
memory/2204-135-0x0000000002301000-0x000000000232F000-memory.dmp

Filesize
184KB

Download
memory/2204-130-0x0000000002300000-0x0000000002330000-memory.dmp

Filesize
192KB

Download
memory/2204-133-0x0000000002301000-0x000000000232F000-memory.dmp

Filesize
184KB

Download
memory/2204-132-0x00000000021A0000-0x00000000021CE000-memory.dmp

Filesize
184KB

Download