trickbot | 7a5d773aa6ef4cf71a18234e4037788e635a3f8aeefef0e9898d69453bc53025

Resubmissions

28-12-2022 03:05

221228-dk91fahc93 10

20-12-2022 19:37

221220-ycbswsea2x 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client/gpuhealth/syrecrt.exe
Size

636KB
MD5

b1ee1b5bcf9081a4556c9eca8ddee08b
SHA1

44ce0ffaa7e00619041d5c6a55b333cd68b34e9f
SHA256

7f35814a168b322a70dde6653134deed0771ae69860e1dcb3b464237c327357b
SHA512

cd56bbc7039cdba69ba475a9011511425cbe63d3ba6f59aa569c8a96089ee0df0a54b0b789be43d4d1af66c1b21d3d1c191240a40dc3692f39eebbd3be6a4a56
SSDEEP

6144:FsD8AG8s0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WP40drYqMmdVdpx9qylokuSRmf/XwMtc

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral12/memory/764-135-0x00000000022B0000-0x00000000022E1000-memory.dmp	trickbot_loader32
behavioral12/memory/764-136-0x00000000022B0000-0x00000000022E1000-memory.dmp	trickbot_loader32
behavioral12/memory/764-138-0x00000000022B0000-0x00000000022E1000-memory.dmp	trickbot_loader32
behavioral12/memory/4068-147-0x0000000000E30000-0x0000000000E61000-memory.dmp	trickbot_loader32
behavioral12/memory/4068-149-0x0000000000E30000-0x0000000000E61000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

syrccrt.exe

pid process

4068 syrccrt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 4052 svchost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

syrecrt.exesyrccrt.exe

pid process

764 syrecrt.exe
764 syrecrt.exe
4068 syrccrt.exe
4068 syrccrt.exe

pid	process
4068	syrccrt.exe

description	pid	process
Token: SeTcbPrivilege	4052	svchost.exe

pid	process
764	syrecrt.exe
764	syrecrt.exe
4068	syrccrt.exe
4068	syrccrt.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

syrecrt.exesyrccrt.exe

description	pid	process	target process
PID 764 wrote to memory of 2200	764	syrecrt.exe	svchost.exe
PID 764 wrote to memory of 2200	764	syrecrt.exe	svchost.exe
PID 764 wrote to memory of 2200	764	syrecrt.exe	svchost.exe
PID 764 wrote to memory of 2200	764	syrecrt.exe	svchost.exe
PID 4068 wrote to memory of 4052	4068	syrccrt.exe	svchost.exe
PID 4068 wrote to memory of 4052	4068	syrccrt.exe	svchost.exe
PID 4068 wrote to memory of 4052	4068	syrccrt.exe	svchost.exe
PID 4068 wrote to memory of 4052	4068	syrccrt.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\client\gpuhealth\syrecrt.exe
"C:\Users\Admin\AppData\Local\Temp\client\gpuhealth\syrecrt.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2200

C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
Filesize
636KB

MD5
b1ee1b5bcf9081a4556c9eca8ddee08b

SHA1
44ce0ffaa7e00619041d5c6a55b333cd68b34e9f

SHA256
7f35814a168b322a70dde6653134deed0771ae69860e1dcb3b464237c327357b

SHA512
cd56bbc7039cdba69ba475a9011511425cbe63d3ba6f59aa569c8a96089ee0df0a54b0b789be43d4d1af66c1b21d3d1c191240a40dc3692f39eebbd3be6a4a56

Download Submit
C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
Filesize
636KB

MD5
b1ee1b5bcf9081a4556c9eca8ddee08b

SHA1
44ce0ffaa7e00619041d5c6a55b333cd68b34e9f

SHA256
7f35814a168b322a70dde6653134deed0771ae69860e1dcb3b464237c327357b

SHA512
cd56bbc7039cdba69ba475a9011511425cbe63d3ba6f59aa569c8a96089ee0df0a54b0b789be43d4d1af66c1b21d3d1c191240a40dc3692f39eebbd3be6a4a56

Download Submit
memory/764-138-0x00000000022B0000-0x00000000022E1000-memory.dmp

Filesize
196KB

Download
memory/764-135-0x00000000022B0000-0x00000000022E1000-memory.dmp

Filesize
196KB

Download
memory/764-136-0x00000000022B0000-0x00000000022E1000-memory.dmp

Filesize
196KB

Download
memory/2200-139-0x000002B8E67D0000-0x000002B8E67F2000-memory.dmp

Filesize
136KB

Download
memory/2200-140-0x000002B8E67D0000-0x000002B8E67F2000-memory.dmp

Filesize
136KB

Download
memory/2200-137-0x0000000000000000-mapping.dmp

Download
memory/4052-148-0x0000000000000000-mapping.dmp

Download
memory/4052-150-0x00000241A8EB0000-0x00000241A8ED2000-memory.dmp

Filesize
136KB

Download
memory/4052-151-0x00000241A8EB0000-0x00000241A8ED2000-memory.dmp

Filesize
136KB

Download
memory/4068-147-0x0000000000E30000-0x0000000000E61000-memory.dmp

Filesize
196KB

Download
memory/4068-149-0x0000000000E30000-0x0000000000E61000-memory.dmp

Filesize
196KB

Download