trickbot | 76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0

General

Target

76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe
Size

492KB
MD5

e29212a7f10f41c4404f694162b91de8
SHA1

cb189d1eb74822a12b3f4efba5328400d7d81da0
SHA256

76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0
SHA512

a86688ac819f7692ee7bc485bf7d89e53f6f422dffe036aa5a10730c82c6db816a4b25583835a77b8c76d674e5ac0b800752c5d6c69ca1c8cbd3003fa72ac40b

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/544-133-0x0000000002180000-0x00000000021AD000-memory.dmp	trickbot_loader32
behavioral2/memory/544-135-0x0000000002140000-0x000000000216D000-memory.dmp	trickbot_loader32
behavioral2/memory/544-136-0x0000000002181000-0x00000000021AD000-memory.dmp	trickbot_loader32
behavioral2/memory/3912-144-0x0000000001591000-0x00000000015BD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

àâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid process

544 àâûñ÷âöóûâïï.exe
3912 àâûñ÷âöóûâïï.exe

pid	process
544	àâûñ÷âöóûâïï.exe
3912	àâûñ÷âöóûâïï.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1840 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1840	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid	process
740	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe
740	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe
544	àâûñ÷âöóûâïï.exe
544	àâûñ÷âöóûâïï.exe
3912	àâûñ÷âöóûâïï.exe
3912	àâûñ÷âöóûâïï.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

description	pid	process	target process
PID 740 wrote to memory of 544	740	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe	àâûñ÷âöóûâïï.exe
PID 740 wrote to memory of 544	740	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe	àâûñ÷âöóûâïï.exe
PID 740 wrote to memory of 544	740	76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe	àâûñ÷âöóûâïï.exe
PID 544 wrote to memory of 808	544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 544 wrote to memory of 808	544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 544 wrote to memory of 808	544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 544 wrote to memory of 808	544	àâûñ÷âöóûâïï.exe	svchost.exe
PID 3912 wrote to memory of 1840	3912	àâûñ÷âöóûâïï.exe	svchost.exe
PID 3912 wrote to memory of 1840	3912	àâûñ÷âöóûâïï.exe	svchost.exe
PID 3912 wrote to memory of 1840	3912	àâûñ÷âöóûâïï.exe	svchost.exe
PID 3912 wrote to memory of 1840	3912	àâûñ÷âöóûâïï.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe
"C:\Users\Admin\AppData\Local\Temp\76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\ProgramData\àâûñ÷âöóûâïï.exe
"C:\ProgramData\àâûñ÷âöóûâïï.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:808

C:\Users\Admin\AppData\Roaming\taskhealth\àâûñ÷âöóûâïï.exe
C:\Users\Admin\AppData\Roaming\taskhealth\àâûñ÷âöóûâïï.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
492KB

MD5
e29212a7f10f41c4404f694162b91de8

SHA1
cb189d1eb74822a12b3f4efba5328400d7d81da0

SHA256
76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0

SHA512
a86688ac819f7692ee7bc485bf7d89e53f6f422dffe036aa5a10730c82c6db816a4b25583835a77b8c76d674e5ac0b800752c5d6c69ca1c8cbd3003fa72ac40b

Download Submit
C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
492KB

MD5
e29212a7f10f41c4404f694162b91de8

SHA1
cb189d1eb74822a12b3f4efba5328400d7d81da0

SHA256
76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0

SHA512
a86688ac819f7692ee7bc485bf7d89e53f6f422dffe036aa5a10730c82c6db816a4b25583835a77b8c76d674e5ac0b800752c5d6c69ca1c8cbd3003fa72ac40b

Download Submit
C:\Users\Admin\AppData\Roaming\taskhealth\àâûñ÷âöóûâïï.exe
Filesize
492KB

MD5
e29212a7f10f41c4404f694162b91de8

SHA1
cb189d1eb74822a12b3f4efba5328400d7d81da0

SHA256
76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0

SHA512
a86688ac819f7692ee7bc485bf7d89e53f6f422dffe036aa5a10730c82c6db816a4b25583835a77b8c76d674e5ac0b800752c5d6c69ca1c8cbd3003fa72ac40b

Download Submit
C:\Users\Admin\AppData\Roaming\taskhealth\àâûñ÷âöóûâïï.exe
Filesize
492KB

MD5
e29212a7f10f41c4404f694162b91de8

SHA1
cb189d1eb74822a12b3f4efba5328400d7d81da0

SHA256
76ab3bab55e55afdff24f971410b2e7b071edac304bddb791d687a0c084289b0

SHA512
a86688ac819f7692ee7bc485bf7d89e53f6f422dffe036aa5a10730c82c6db816a4b25583835a77b8c76d674e5ac0b800752c5d6c69ca1c8cbd3003fa72ac40b

Download Submit
memory/544-133-0x0000000002180000-0x00000000021AD000-memory.dmp

Filesize
180KB

Download
memory/544-135-0x0000000002140000-0x000000000216D000-memory.dmp

Filesize
180KB

Download
memory/544-136-0x0000000002181000-0x00000000021AD000-memory.dmp

Filesize
176KB

Download
memory/544-137-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/544-130-0x0000000000000000-mapping.dmp

Download
memory/808-138-0x0000026C6CED0000-0x0000026C6CEF0000-memory.dmp

Filesize
128KB

Download
memory/808-139-0x0000026C6CED0000-0x0000026C6CEF0000-memory.dmp

Filesize
128KB

Download
memory/808-134-0x0000000000000000-mapping.dmp

Download
memory/1840-143-0x0000000000000000-mapping.dmp

Download
memory/1840-145-0x000002468BAA0000-0x000002468BAC0000-memory.dmp

Filesize
128KB

Download
memory/1840-146-0x000002468BAA0000-0x000002468BAC0000-memory.dmp

Filesize
128KB

Download
memory/3912-144-0x0000000001591000-0x00000000015BD000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads