trickbot | c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6

Analysis

max time kernel
209s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 04:57

Target

c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe
Size

162KB
MD5

a0565dc0bb68fd8c0437d5e368d7de23
SHA1

68e17b0cb0a8f48d77f4923a42584ad867132f7a
SHA256

c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6
SHA512

630781b22a9c231155ed82a94f6ff06fba9582a3bc036e821f875149f468680bdee5e8cf3f09a4b5c184d439ea1abfed5b420d7cef06b2550f2fcdb4f9017024

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1960-131-0x0000000002060000-0x0000000002069000-memory.dmp	trickbot_loader32
behavioral2/memory/1960-132-0x0000000002060000-0x0000000002069000-memory.dmp	trickbot_loader32
behavioral2/memory/1960-134-0x0000000002060000-0x0000000002069000-memory.dmp	trickbot_loader32

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2128 powershell.exe
2128 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2128 powershell.exe

pid	process
2128	powershell.exe
2128	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 4964	1960	c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe	cmd.exe
PID 1960 wrote to memory of 4964	1960	c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe	cmd.exe
PID 1960 wrote to memory of 4964	1960	c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe	cmd.exe
PID 4964 wrote to memory of 2128	4964	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2128	4964	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2128	4964	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe
"C:\Users\Admin\AppData\Local\Temp\c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\c213f69f07e55e9934541c28d10b498d067def4936d0ffed342b9f8d052e20f6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

memory/1960-134-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1960-132-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/1960-131-0x0000000002060000-0x0000000002069000-memory.dmp

Filesize
36KB

Download
memory/2128-139-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/2128-135-0x0000000000000000-mapping.dmp

Download
memory/2128-136-0x0000000002D90000-0x0000000002DC6000-memory.dmp

Filesize
216KB

Download
memory/2128-137-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/2128-138-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/2128-140-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/2128-141-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/2128-142-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/2128-143-0x0000000006B80000-0x0000000006B9A000-memory.dmp

Filesize
104KB

Download
memory/2128-144-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/2128-145-0x0000000007920000-0x0000000007942000-memory.dmp

Filesize
136KB

Download
memory/2128-146-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/4964-133-0x0000000000000000-mapping.dmp

Download