trickbot | a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 08:57

Target

a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe
Size

670KB
MD5

5c302f088c46d4b44f25ba7f2bcae164
SHA1

c7837033defc2107c7ef1f6f6f795fea50ddafbb
SHA256

a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f
SHA512

a878719d5651400057509f7ba7cd8e7abf9df3bbbb06ca5329b5bd172c4269b163d1fecd8b26ae1f6f98e5cf65691cb2f55ce0e71f53c4424089034a331bdc35

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1380-55-0x0000000000350000-0x0000000000359000-memory.dmp	trickbot_loader32
behavioral1/memory/1380-58-0x0000000000340000-0x0000000000347000-memory.dmp	trickbot_loader32
behavioral1/memory/1380-59-0x0000000000351000-0x0000000000358000-memory.dmp	trickbot_loader32
behavioral1/memory/1380-62-0x0000000000351000-0x0000000000358000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

584 powershell.exe

pid	process
584	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

584 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 584 powershell.exe

pid	process
584	powershell.exe

description	pid	process
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 284	1380	a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe	cmd.exe
PID 1380 wrote to memory of 284	1380	a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe	cmd.exe
PID 1380 wrote to memory of 284	1380	a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe	cmd.exe
PID 1380 wrote to memory of 284	1380	a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe	cmd.exe
PID 284 wrote to memory of 584	284	cmd.exe	powershell.exe
PID 284 wrote to memory of 584	284	cmd.exe	powershell.exe
PID 284 wrote to memory of 584	284	cmd.exe	powershell.exe
PID 284 wrote to memory of 584	284	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe
"C:\Users\Admin\AppData\Local\Temp\a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\a19ddf2352a0ad0c12fe14d2436d27b7a922cd5a4162a9a088bef1f48764114f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:284

memory/284-60-0x0000000000000000-mapping.dmp

Download
memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/584-66-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/584-67-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/1380-57-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1380-58-0x0000000000340000-0x0000000000347000-memory.dmp

Filesize
28KB

Download
memory/1380-59-0x0000000000351000-0x0000000000358000-memory.dmp

Filesize
28KB

Download
memory/1380-61-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1380-62-0x0000000000351000-0x0000000000358000-memory.dmp

Filesize
28KB

Download