trickbot | cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

General

Target

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
Size

274KB
MD5

2d9a2aac9084a566348e4a8444d6345b
SHA1

d0dd7bc90451c152df1eb2267d0230bf31033cb8
SHA256

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17
SHA512

7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Score

10^/10

trickbot banker evasion trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1404-79-0x0000000000370000-0x0000000000399000-memory.dmp	trickbot_loader32
behavioral1/memory/1648-64-0x0000000000320000-0x0000000000349000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

pid process

1404 cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

Loads dropped DLL 2 IoCs

Processes:

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe

pid	process
1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1636 sc.exe
1528 sc.exe

pid	process
1636	sc.exe
1528	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exepowershell.exe

pid	process
1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
1332	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1332 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.execmd.execmd.execmd.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

description	pid	process	target process
PID 1648 wrote to memory of 1312	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1312	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1312	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1312	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 896	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 896	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 896	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 896	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cmd.exe
PID 896 wrote to memory of 1528	896	cmd.exe	sc.exe
PID 896 wrote to memory of 1528	896	cmd.exe	sc.exe
PID 896 wrote to memory of 1528	896	cmd.exe	sc.exe
PID 896 wrote to memory of 1528	896	cmd.exe	sc.exe
PID 1312 wrote to memory of 1636	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1636	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1636	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1636	1312	cmd.exe	sc.exe
PID 1648 wrote to memory of 1404	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 1648 wrote to memory of 1404	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 1648 wrote to memory of 1404	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 1648 wrote to memory of 1404	1648	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	powershell.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1404 wrote to memory of 1908	1404	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
"C:\Users\Admin\AppData\Local\Temp\cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1636

C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:1908

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
1⤵
- Launches sc.exe
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3762437355-3468409815-1164039494-1000\0f5007522459c86e95ffcc62f32308f1_327f7753-eed3-43ec-871a-c7bcf65868ec
Filesize
1KB

MD5
aedfc59fa035f71103571026eed5de11

SHA1
c93c4cb59877a55886ae4282ffcc9553329f7cb9

SHA256
fe3754df565c8bfbc089debfe60265d92640e36040689a5fa142d9540269c993

SHA512
b61bab113df4558d43cd9d04c664ace43afd0032d42cdf1b772edca5784799befab69e25253ec7db0e63df19ad58c659f58e3721722abde0a7b05726bacf3481

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/1312-55-0x0000000000000000-mapping.dmp

Download
memory/1332-81-0x0000000073820000-0x0000000073DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1332-80-0x0000000073820000-0x0000000073DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1332-63-0x0000000000000000-mapping.dmp

Download
memory/1404-79-0x0000000000370000-0x0000000000399000-memory.dmp

Filesize
164KB

Download
memory/1404-70-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1404-62-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1636-60-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1648-64-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/1656-57-0x0000000000000000-mapping.dmp

Download
memory/1908-73-0x0000000000000000-mapping.dmp

Download
memory/1908-75-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads