trickbot | d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

General

Target

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
Size

492KB
MD5

3f1b28c0955bf9d8854a7a0887ba8785
SHA1

29d602d28f21760a38e46f7d2f9a1f08d3dea092
SHA256

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b
SHA512

c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1964-61-0x00000000002E0000-0x000000000030D000-memory.dmp	trickbot_loader32
behavioral1/memory/1964-63-0x00000000002E0000-0x000000000030D000-memory.dmp	trickbot_loader32
behavioral1/memory/908-70-0x00000000008A0000-0x00000000008CD000-memory.dmp	trickbot_loader32
behavioral1/memory/908-72-0x00000000008A0000-0x00000000008CD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

ըհվտռոոոռեռֆ.exeըհվտռոոոռեռֆ.exe

pid process

1964 ըհվտռոոոռեռֆ.exe
908 ըհվտռոոոռեռֆ.exe

pid	process
1964	ըհվտռոոոռեռֆ.exe
908	ըհվտռոոոռեռֆ.exe

Loads dropped DLL 2 IoCs

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe

pid	process
876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1444 svchost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exeըհվտռոոոռեռֆ.exeըհվտռոոոռեռֆ.exe

pid process

876 d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
1964 ըհվտռոոոռեռֆ.exe
908 ըհվտռոոոռեռֆ.exe

description	pid	process
Token: SeTcbPrivilege	1444	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exeըհվտռոոոռեռֆ.exetaskeng.exeըհվտռոոոռեռֆ.exe

description	pid	process	target process
PID 876 wrote to memory of 1964	876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 876 wrote to memory of 1964	876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 876 wrote to memory of 1964	876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 876 wrote to memory of 1964	876	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 1964 wrote to memory of 828	1964	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 656 wrote to memory of 908	656	taskeng.exe	ըհվտռոոոռեռֆ.exe
PID 656 wrote to memory of 908	656	taskeng.exe	ըհվտռոոոռեռֆ.exe
PID 656 wrote to memory of 908	656	taskeng.exe	ըհվտռոոոռեռֆ.exe
PID 656 wrote to memory of 908	656	taskeng.exe	ըհվտռոոոռեռֆ.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 908 wrote to memory of 1444	908	ըհվտռոոոռեռֆ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
"C:\Users\Admin\AppData\Local\Temp\d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\ProgramData\ըհվտռոոոռեռֆ.exe
"C:\ProgramData\ըհվտռոոոռեռֆ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {51840CF6-7D90-4A61-9940-D2ED16FD1315} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
memory/828-65-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/828-62-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/876-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/908-67-0x0000000000000000-mapping.dmp

Download
memory/908-70-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/908-72-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/1444-71-0x0000000000000000-mapping.dmp

Download
memory/1444-73-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1444-74-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1964-63-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/1964-61-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads