trickbot | 6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

General

Target

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
Size

368KB
MD5

ce0d380468c41fbc489fcaefcee3d211
SHA1

132fb83fa51c9624d2e5ddd6e5f40751ac839c63
SHA256

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3
SHA512

7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qh:emSuOcHmnYhrDMTrban4qh

Score

10^/10

trickbot banker evasion trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1048-61-0x0000000000210000-0x0000000000239000-memory.dmp	trickbot_loader32
behavioral1/memory/980-78-0x0000000000130000-0x0000000000159000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

pid process

980 7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe

pid process

1048 6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe

pid	process
980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

620 sc.exe
520 sc.exe

pid	process
620	sc.exe
520	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exepowershell.exe

pid	process
1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1696 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.execmd.execmd.execmd.exe7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

description	pid	process	target process
PID 1048 wrote to memory of 948	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 948	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 948	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 948	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 888	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 888	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 888	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 1048 wrote to memory of 888	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	cmd.exe
PID 948 wrote to memory of 620	948	cmd.exe	sc.exe
PID 948 wrote to memory of 620	948	cmd.exe	sc.exe
PID 948 wrote to memory of 620	948	cmd.exe	sc.exe
PID 948 wrote to memory of 620	948	cmd.exe	sc.exe
PID 1048 wrote to memory of 980	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 1048 wrote to memory of 980	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 1048 wrote to memory of 980	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 1048 wrote to memory of 980	1048	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 984 wrote to memory of 520	984	cmd.exe	sc.exe
PID 984 wrote to memory of 520	984	cmd.exe	sc.exe
PID 984 wrote to memory of 520	984	cmd.exe	sc.exe
PID 984 wrote to memory of 520	984	cmd.exe	sc.exe
PID 888 wrote to memory of 1696	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 1696	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 1696	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 1696	888	cmd.exe	powershell.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 980 wrote to memory of 360	980	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
"C:\Users\Admin\AppData\Local\Temp\6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:620

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:520

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4063495947-34355257-727531523-1000\0f5007522459c86e95ffcc62f32308f1_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b
Filesize
1KB

MD5
40cfa7bedb464a795a338be8cdfc4834

SHA1
06ab3a3da93f2790db46d67490d9cd07d1b63d97

SHA256
e743cbd8a39a5adcca7284cab9d60f821fc7fad3d6d9676e3c9d5166a5bad6d6

SHA512
872c2806663e09feafed27f9501bc18801089162d15e4d02e81e4ae56f01f1b21d0a6f77c27089e24ecb2a3cc76226f6b9343360f970829225bbc70991f2194a

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Filesize
368KB

MD5
ce0d380468c41fbc489fcaefcee3d211

SHA1
132fb83fa51c9624d2e5ddd6e5f40751ac839c63

SHA256
6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

SHA512
7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38

Download Submit
\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Filesize
368KB

MD5
ce0d380468c41fbc489fcaefcee3d211

SHA1
132fb83fa51c9624d2e5ddd6e5f40751ac839c63

SHA256
6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

SHA512
7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38

Download Submit
memory/360-74-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/360-72-0x0000000000000000-mapping.dmp

Download
memory/520-64-0x0000000000000000-mapping.dmp

Download
memory/620-58-0x0000000000000000-mapping.dmp

Download
memory/888-57-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/980-60-0x0000000000000000-mapping.dmp

Download
memory/980-69-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/980-78-0x0000000000130000-0x0000000000159000-memory.dmp

Filesize
164KB

Download
memory/984-56-0x0000000000000000-mapping.dmp

Download
memory/1048-61-0x0000000000210000-0x0000000000239000-memory.dmp

Filesize
164KB

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1696-79-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-80-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads