trickbot | e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

Analysis

max time kernel
117s
max time network
47s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
Size

500KB
MD5

befa5f863f0135a4c707840bca4a00d8
SHA1

59638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA512

7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1948-61-0x0000000001C90000-0x0000000001CBE000-memory.dmp	trickbot_loader32
behavioral1/memory/1948-72-0x0000000001C60000-0x0000000001C8D000-memory.dmp	trickbot_loader32
behavioral1/memory/1948-73-0x0000000001C91000-0x0000000001CBD000-memory.dmp	trickbot_loader32
behavioral1/memory/1544-74-0x00000000003D1000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1532-83-0x0000000000941000-0x000000000096D000-memory.dmp	trickbot_loader32
behavioral1/memory/1532-87-0x0000000000941000-0x000000000096D000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

àâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid process

1948 àâûñ÷âöóûâïï.exe
1544 àâûñ÷âöóûâïï.exe
1532 àâûñ÷âöóûâïï.exe

pid	process
1948	àâûñ÷âöóûâïï.exe
1544	àâûñ÷âöóûâïï.exe
1532	àâûñ÷âöóûâïï.exe

Loads dropped DLL 4 IoCs

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exe

pid	process
2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
1948	àâûñ÷âöóûâïï.exe
1948	àâûñ÷âöóûâïï.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

àâûñ÷âöóûâïï.exe

description pid process

Token: SeTcbPrivilege 1532 àâûñ÷âöóûâïï.exe

description	pid	process
Token: SeTcbPrivilege	1532	àâûñ÷âöóûâïï.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid	process
2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
1948	àâûñ÷âöóûâïï.exe
1948	àâûñ÷âöóûâïï.exe
1544	àâûñ÷âöóûâïï.exe
1544	àâûñ÷âöóûâïï.exe
1532	àâûñ÷âöóûâïï.exe
1532	àâûñ÷âöóûâïï.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exetaskeng.exeàâûñ÷âöóûâïï.exe

description	pid	process	target process
PID 2024 wrote to memory of 1948	2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 2024 wrote to memory of 1948	2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 2024 wrote to memory of 1948	2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 2024 wrote to memory of 1948	2024	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 1948 wrote to memory of 1544	1948	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 1948 wrote to memory of 1544	1948	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 1948 wrote to memory of 1544	1948	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 1948 wrote to memory of 1544	1948	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1544 wrote to memory of 1764	1544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1164 wrote to memory of 1532	1164	taskeng.exe	àâûñ÷âöóûâïï.exe
PID 1164 wrote to memory of 1532	1164	taskeng.exe	àâûñ÷âöóûâïï.exe
PID 1164 wrote to memory of 1532	1164	taskeng.exe	àâûñ÷âöóûâïï.exe
PID 1164 wrote to memory of 1532	1164	taskeng.exe	àâûñ÷âöóûâïï.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1532 wrote to memory of 1536	1532	àâûñ÷âöóûâïï.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
"C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\ProgramData\àâûñ÷âöóûâïï.exe
"C:\ProgramData\àâûñ÷âöóûâïï.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:1764

C:\Windows\system32\taskeng.exe
taskeng.exe {529774D8-BFA6-4294-961F-30E3239B423C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
memory/1532-78-0x0000000000000000-mapping.dmp

Download
memory/1532-87-0x0000000000941000-0x000000000096D000-memory.dmp

Filesize
176KB

Download
memory/1532-85-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1532-83-0x0000000000941000-0x000000000096D000-memory.dmp

Filesize
176KB

Download
memory/1536-86-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1536-84-0x0000000000000000-mapping.dmp

Download
memory/1536-88-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1544-65-0x0000000000000000-mapping.dmp

Download
memory/1544-74-0x00000000003D1000-0x00000000003FD000-memory.dmp

Filesize
176KB

Download
memory/1544-75-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1764-77-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1764-76-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1764-71-0x0000000000000000-mapping.dmp

Download
memory/1948-73-0x0000000001C91000-0x0000000001CBD000-memory.dmp

Filesize
176KB

Download
memory/1948-72-0x0000000001C60000-0x0000000001C8D000-memory.dmp

Filesize
180KB

Download
memory/1948-61-0x0000000001C90000-0x0000000001CBE000-memory.dmp

Filesize
184KB

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads