trickbot | d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

General

Target

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
Size

492KB
MD5

3f1b28c0955bf9d8854a7a0887ba8785
SHA1

29d602d28f21760a38e46f7d2f9a1f08d3dea092
SHA256

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b
SHA512

c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3448-133-0x00000000020D0000-0x00000000020FD000-memory.dmp	trickbot_loader32
behavioral2/memory/3448-135-0x00000000020D0000-0x00000000020FD000-memory.dmp	trickbot_loader32
behavioral2/memory/3844-139-0x0000000000E20000-0x0000000000E4D000-memory.dmp	trickbot_loader32
behavioral2/memory/3844-141-0x0000000000E20000-0x0000000000E4D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

ըհվտռոոոռեռֆ.exeըհվտռոոոռեռֆ.exe

pid process

3448 ըհվտռոոոռեռֆ.exe
3844 ըհվտռոոոռեռֆ.exe

pid	process
3448	ըհվտռոոոռեռֆ.exe
3844	ըհվտռոոոռեռֆ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 4624 svchost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exeըհվտռոոոռեռֆ.exeըհվտռոոոռեռֆ.exe

pid process

4172 d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
3448 ըհվտռոոոռեռֆ.exe
3844 ըհվտռոոոռեռֆ.exe

description	pid	process
Token: SeTcbPrivilege	4624	svchost.exe

pid	process
4172	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
3448	ըհվտռոոոռեռֆ.exe
3844	ըհվտռոոոռեռֆ.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exeըհվտռոոոռեռֆ.exeըհվտռոոոռեռֆ.exe

description	pid	process	target process
PID 4172 wrote to memory of 3448	4172	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 4172 wrote to memory of 3448	4172	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 4172 wrote to memory of 3448	4172	d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe	ըհվտռոոոռեռֆ.exe
PID 3448 wrote to memory of 3412	3448	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3448 wrote to memory of 3412	3448	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3448 wrote to memory of 3412	3448	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3448 wrote to memory of 3412	3448	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3844 wrote to memory of 4624	3844	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3844 wrote to memory of 4624	3844	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3844 wrote to memory of 4624	3844	ըհվտռոոոռեռֆ.exe	svchost.exe
PID 3844 wrote to memory of 4624	3844	ըհվտռոոոռեռֆ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe
"C:\Users\Admin\AppData\Local\Temp\d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172

C:\ProgramData\ըհվտռոոոռեռֆ.exe
"C:\ProgramData\ըհվտռոոոռեռֆ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3412

C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\ProgramData\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\ըհվտռոոոռեռֆ.exe
Filesize
492KB

MD5
3f1b28c0955bf9d8854a7a0887ba8785

SHA1
29d602d28f21760a38e46f7d2f9a1f08d3dea092

SHA256
d0cc346706bfebc9882fa24199177320c076d02bf844a400a50600437836377b

SHA512
c46941e6578d06a7a5760847022b04414ca3d07af629957e12ebbd892b3f60bc1b86fb93c038ba3172f1c233edd99f18586e477a5f983cfd55ee6000cd0771ec

Download Submit
memory/3412-136-0x000001E2E6590000-0x000001E2E65AE000-memory.dmp

Filesize
120KB

Download
memory/3412-134-0x0000000000000000-mapping.dmp

Download
memory/3448-133-0x00000000020D0000-0x00000000020FD000-memory.dmp

Filesize
180KB

Download
memory/3448-135-0x00000000020D0000-0x00000000020FD000-memory.dmp

Filesize
180KB

Download
memory/3448-130-0x0000000000000000-mapping.dmp

Download
memory/3844-139-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/3844-141-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download
memory/4624-142-0x00000212F5280000-0x00000212F529E000-memory.dmp

Filesize
120KB

Download
memory/4624-143-0x00000212F5280000-0x00000212F529E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads