trickbot | 7a5d773aa6ef4cf71a18234e4037788e635a3f8aeefef0e9898d69453bc53025

Resubmissions

28-12-2022 03:05

221228-dk91fahc93 10

20-12-2022 19:37

221220-ycbswsea2x 10

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/gpuhealth/syrecrt.exe
Size

636KB
MD5

49718c5d4fa5792aad0397190ffbbb49
SHA1

9f5c0dd44498575be961e494c53e2de3c27b701a
SHA256

2de0320f9a93943e2b0564b760cdbfa13bd90b70cef3c59aadd132c3d24c2de0
SHA512

8aec434749b54ca0b9ea80b5d34efa6bc718b7831e6510667fdfbf69e7eabea5dc4ee747bcd2da8b5917489b8f493be22d748e5d16d723793a3727a32066390c
SSDEEP

6144:FsD8AG8D0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WPP0drYqMmdVdpx9qylokuSRmf/XwMtc

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral14/memory/4848-135-0x00000000023D0000-0x0000000002401000-memory.dmp	trickbot_loader32
behavioral14/memory/4848-136-0x00000000023D0000-0x0000000002401000-memory.dmp	trickbot_loader32
behavioral14/memory/4848-138-0x00000000023D0000-0x0000000002401000-memory.dmp	trickbot_loader32
behavioral14/memory/1988-147-0x0000000000DE0000-0x0000000000E11000-memory.dmp	trickbot_loader32
behavioral14/memory/1988-149-0x0000000000DE0000-0x0000000000E11000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

syrccrt.exe

pid process

1988 syrccrt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 5060 svchost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

syrecrt.exesyrccrt.exe

pid process

4848 syrecrt.exe
4848 syrecrt.exe
1988 syrccrt.exe
1988 syrccrt.exe

pid	process
1988	syrccrt.exe

description	pid	process
Token: SeTcbPrivilege	5060	svchost.exe

pid	process
4848	syrecrt.exe
4848	syrecrt.exe
1988	syrccrt.exe
1988	syrccrt.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

syrecrt.exesyrccrt.exe

description	pid	process	target process
PID 4848 wrote to memory of 4408	4848	syrecrt.exe	svchost.exe
PID 4848 wrote to memory of 4408	4848	syrecrt.exe	svchost.exe
PID 4848 wrote to memory of 4408	4848	syrecrt.exe	svchost.exe
PID 4848 wrote to memory of 4408	4848	syrecrt.exe	svchost.exe
PID 1988 wrote to memory of 5060	1988	syrccrt.exe	svchost.exe
PID 1988 wrote to memory of 5060	1988	syrccrt.exe	svchost.exe
PID 1988 wrote to memory of 5060	1988	syrccrt.exe	svchost.exe
PID 1988 wrote to memory of 5060	1988	syrccrt.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\dc\gpuhealth\syrecrt.exe
"C:\Users\Admin\AppData\Local\Temp\dc\gpuhealth\syrecrt.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4408

C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
Filesize
636KB

MD5
49718c5d4fa5792aad0397190ffbbb49

SHA1
9f5c0dd44498575be961e494c53e2de3c27b701a

SHA256
2de0320f9a93943e2b0564b760cdbfa13bd90b70cef3c59aadd132c3d24c2de0

SHA512
8aec434749b54ca0b9ea80b5d34efa6bc718b7831e6510667fdfbf69e7eabea5dc4ee747bcd2da8b5917489b8f493be22d748e5d16d723793a3727a32066390c

Download Submit
C:\Users\Admin\AppData\Roaming\gpuhealth\syrccrt.exe
Filesize
636KB

MD5
49718c5d4fa5792aad0397190ffbbb49

SHA1
9f5c0dd44498575be961e494c53e2de3c27b701a

SHA256
2de0320f9a93943e2b0564b760cdbfa13bd90b70cef3c59aadd132c3d24c2de0

SHA512
8aec434749b54ca0b9ea80b5d34efa6bc718b7831e6510667fdfbf69e7eabea5dc4ee747bcd2da8b5917489b8f493be22d748e5d16d723793a3727a32066390c

Download Submit
memory/1988-149-0x0000000000DE0000-0x0000000000E11000-memory.dmp

Filesize
196KB

Download
memory/1988-147-0x0000000000DE0000-0x0000000000E11000-memory.dmp

Filesize
196KB

Download
memory/4408-137-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x000002A123F20000-0x000002A123F42000-memory.dmp

Filesize
136KB

Download
memory/4408-140-0x000002A123F20000-0x000002A123F42000-memory.dmp

Filesize
136KB

Download
memory/4848-138-0x00000000023D0000-0x0000000002401000-memory.dmp

Filesize
196KB

Download
memory/4848-135-0x00000000023D0000-0x0000000002401000-memory.dmp

Filesize
196KB

Download
memory/4848-136-0x00000000023D0000-0x0000000002401000-memory.dmp

Filesize
196KB

Download
memory/5060-148-0x0000000000000000-mapping.dmp

Download
memory/5060-150-0x0000026882E50000-0x0000026882E72000-memory.dmp

Filesize
136KB

Download
memory/5060-151-0x0000026882E50000-0x0000026882E72000-memory.dmp

Filesize
136KB

Download