trickbot | e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

General

Target

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe
Size

350KB
MD5

02441573d362188574bb84b67032b83f
SHA1

1a00c86f95c432810a173bbb4cb5e241282b0609
SHA256

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee
SHA512

8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4040-133-0x0000000000700000-0x0000000000730000-memory.dmp	trickbot_loader32
behavioral2/memory/4040-135-0x00000000006D0000-0x00000000006FE000-memory.dmp	trickbot_loader32
behavioral2/memory/4040-136-0x0000000000701000-0x000000000072F000-memory.dmp	trickbot_loader32
behavioral2/memory/4040-138-0x0000000000701000-0x000000000072F000-memory.dmp	trickbot_loader32
behavioral2/memory/2072-145-0x00000000014D1000-0x00000000014FF000-memory.dmp	trickbot_loader32
behavioral2/memory/2072-147-0x00000000014D1000-0x00000000014FF000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

ÑÑ‡Ð².exeÑÑ‡Ð².exe

pid process

4040 ÑÑ‡Ð².exe
2072 ÑÑ‡Ð².exe

pid	process
4040	ÑÑ‡Ð².exe
2072	ÑÑ‡Ð².exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1592 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1592	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exeÑÑ‡Ð².exeÑÑ‡Ð².exe

description	pid	process	target process
PID 4424 wrote to memory of 4040	4424	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 4424 wrote to memory of 4040	4424	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 4424 wrote to memory of 4040	4424	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 4040 wrote to memory of 4188	4040	ÑÑ‡Ð².exe	svchost.exe
PID 4040 wrote to memory of 4188	4040	ÑÑ‡Ð².exe	svchost.exe
PID 4040 wrote to memory of 4188	4040	ÑÑ‡Ð².exe	svchost.exe
PID 4040 wrote to memory of 4188	4040	ÑÑ‡Ð².exe	svchost.exe
PID 2072 wrote to memory of 1592	2072	ÑÑ‡Ð².exe	svchost.exe
PID 2072 wrote to memory of 1592	2072	ÑÑ‡Ð².exe	svchost.exe
PID 2072 wrote to memory of 1592	2072	ÑÑ‡Ð².exe	svchost.exe
PID 2072 wrote to memory of 1592	2072	ÑÑ‡Ð².exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe
"C:\Users\Admin\AppData\Local\Temp\e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424

C:\ProgramData\ÑÑ‡Ð².exe
"C:\ProgramData\ÑÑ‡Ð².exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4188

C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
memory/1592-148-0x0000022392C60000-0x0000022392C80000-memory.dmp

Filesize
128KB

Download
memory/1592-146-0x0000000000000000-mapping.dmp

Download
memory/2072-147-0x00000000014D1000-0x00000000014FF000-memory.dmp

Filesize
184KB

Download
memory/2072-145-0x00000000014D1000-0x00000000014FF000-memory.dmp

Filesize
184KB

Download
memory/4040-135-0x00000000006D0000-0x00000000006FE000-memory.dmp

Filesize
184KB

Download
memory/4040-138-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/4040-136-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/4040-130-0x0000000000000000-mapping.dmp

Download
memory/4040-133-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/4188-140-0x000001933B560000-0x000001933B580000-memory.dmp

Filesize
128KB

Download
memory/4188-139-0x000001933B560000-0x000001933B580000-memory.dmp

Filesize
128KB

Download
memory/4188-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads