trickbot | dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

General

Target

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
Size

484KB
MD5

545bfdc9b1976ae0003443ff4f90eb7e
SHA1

92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326
SHA256

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740
SHA512

d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f
SSDEEP

6144:zk0Ip3PNVUaXMR7knvo62EYuWHWOQyojEHkXS6vhGQf9135F8u:z03PNVMooKHWHWnyojM6v1tEu

Score

10^/10

trickbot banker dave trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4588-132-0x0000000002330000-0x0000000002364000-memory.dmp	trickbot_loader32
behavioral2/memory/4588-136-0x00000000022C0000-0x00000000022F1000-memory.dmp	trickbot_loader32
behavioral2/memory/1304-140-0x0000000000A20000-0x0000000000A54000-memory.dmp	trickbot_loader32
behavioral2/memory/1304-144-0x0000000002330000-0x0000000002361000-memory.dmp	trickbot_loader32
behavioral2/memory/1304-145-0x0000000000A60000-0x0000000000A90000-memory.dmp	trickbot_loader32
behavioral2/memory/1304-146-0x0000000002331000-0x0000000002361000-memory.dmp	trickbot_loader32
behavioral2/memory/1304-148-0x0000000002331000-0x0000000002361000-memory.dmp	trickbot_loader32
behavioral2/memory/484-154-0x0000000000E40000-0x0000000000E74000-memory.dmp	trickbot_loader32
behavioral2/memory/484-159-0x0000000000EE1000-0x0000000000F11000-memory.dmp	trickbot_loader32
behavioral2/memory/484-161-0x0000000000EE1000-0x0000000000F11000-memory.dmp	trickbot_loader32

Dave packer 4 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4588-132-0x0000000002330000-0x0000000002364000-memory.dmp	dave
behavioral2/memory/4588-136-0x00000000022C0000-0x00000000022F1000-memory.dmp	dave
behavioral2/memory/1304-140-0x0000000000A20000-0x0000000000A54000-memory.dmp	dave
behavioral2/memory/484-154-0x0000000000E40000-0x0000000000E74000-memory.dmp	dave

Executes dropped EXE 2 IoCs

Processes:

ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid process

1304 ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
484 ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid	process
1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 5048 svchost.exe

description	pid	process
Token: SeTcbPrivilege	5048	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid	process
4588	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
4588	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

description	pid	process	target process
PID 4588 wrote to memory of 1304	4588	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 4588 wrote to memory of 1304	4588	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 4588 wrote to memory of 1304	4588	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 1304 wrote to memory of 3316	1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1304 wrote to memory of 3316	1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1304 wrote to memory of 3316	1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1304 wrote to memory of 3316	1304	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 484 wrote to memory of 5048	484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 484 wrote to memory of 5048	484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 484 wrote to memory of 5048	484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 484 wrote to memory of 5048	484	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
"C:\Users\Admin\AppData\Local\Temp\dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
"C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3316

C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
memory/484-161-0x0000000000EE1000-0x0000000000F11000-memory.dmp

Filesize
192KB

Download
memory/484-159-0x0000000000EE1000-0x0000000000F11000-memory.dmp

Filesize
192KB

Download
memory/484-154-0x0000000000E40000-0x0000000000E74000-memory.dmp

Filesize
208KB

Download
memory/1304-140-0x0000000000A20000-0x0000000000A54000-memory.dmp

Filesize
208KB

Download
memory/1304-145-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/1304-137-0x0000000000000000-mapping.dmp

Download
memory/1304-148-0x0000000002331000-0x0000000002361000-memory.dmp

Filesize
192KB

Download
memory/1304-149-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1304-144-0x0000000002330000-0x0000000002361000-memory.dmp

Filesize
196KB

Download
memory/1304-146-0x0000000002331000-0x0000000002361000-memory.dmp

Filesize
192KB

Download
memory/3316-151-0x000002A1BF480000-0x000002A1BF4A2000-memory.dmp

Filesize
136KB

Download
memory/3316-150-0x000002A1BF480000-0x000002A1BF4A2000-memory.dmp

Filesize
136KB

Download
memory/3316-147-0x0000000000000000-mapping.dmp

Download
memory/4588-132-0x0000000002330000-0x0000000002364000-memory.dmp

Filesize
208KB

Download
memory/4588-136-0x00000000022C0000-0x00000000022F1000-memory.dmp

Filesize
196KB

Download
memory/5048-160-0x0000000000000000-mapping.dmp

Download
memory/5048-162-0x00000190DADE0000-0x00000190DAE02000-memory.dmp

Filesize
136KB

Download
memory/5048-163-0x00000190DADE0000-0x00000190DAE02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads