trickbot | d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759

Analysis

max time kernel
147s
max time network
90s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 04:57

Target

d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe
Size

257KB
MD5

c631fab0314095b88496fc111c68ade3
SHA1

682e78e9a0b3b719262c1e004f9e723e3910a820
SHA256

d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759
SHA512

ae1ab6da0419cbc624cdf5ec30e56cd2202fdb1904f28e12e3f40fe2f965f053ac45cd38b9f85ffd406bd643d7317c70a82047c7b125cf9f0c1b8dfe5d5cc3a3

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/888-54-0x0000000000340000-0x0000000000349000-memory.dmp	trickbot_loader32
behavioral1/memory/888-56-0x0000000000340000-0x0000000000349000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1348 powershell.exe

pid	process
1348	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1348 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1348 powershell.exe

pid	process
1348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.execmd.exe

description	pid	process	target process
PID 888 wrote to memory of 1444	888	d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe	cmd.exe
PID 888 wrote to memory of 1444	888	d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe	cmd.exe
PID 888 wrote to memory of 1444	888	d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe	cmd.exe
PID 888 wrote to memory of 1444	888	d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe	cmd.exe
PID 1444 wrote to memory of 1348	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 1348	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 1348	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 1348	1444	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe
"C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\d008307d113d72d5263145c03c46fe35c705af1213c942bbc8b13c51940e3759.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

memory/888-54-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/888-56-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/1348-57-0x0000000000000000-mapping.dmp

Download
memory/1348-58-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1348-59-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-60-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-55-0x0000000000000000-mapping.dmp

Download