trickbot | 6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

Analysis

max time kernel
26s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
Size

368KB
MD5

362066c84500cbdd1a11ab6269eb58cb
SHA1

5e8f26c150d985ee7605c6adaad3009fb1c48a48
SHA256

6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6
SHA512

4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:emSuOcHmnYhrDMTrban4q6

Score

10^/10

trickbot banker evasion trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2168-61-0x0000000000140000-0x0000000000169000-memory.dmp	trickbot_loader32
behavioral1/memory/2328-73-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2092	sc.exe
1552	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
1432	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1512	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	29
PID 2168 wrote to memory of 1512	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	29
PID 2168 wrote to memory of 1512	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	29
PID 2168 wrote to memory of 1512	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	29
PID 2168 wrote to memory of 2908	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	30
PID 2168 wrote to memory of 2908	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	30
PID 2168 wrote to memory of 2908	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	30
PID 2168 wrote to memory of 2908	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	30
PID 2168 wrote to memory of 2940	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	32
PID 2168 wrote to memory of 2940	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	32
PID 2168 wrote to memory of 2940	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	32
PID 2168 wrote to memory of 2940	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	32
PID 2168 wrote to memory of 2328	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	35
PID 2168 wrote to memory of 2328	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	35
PID 2168 wrote to memory of 2328	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	35
PID 2168 wrote to memory of 2328	2168	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	35
PID 2940 wrote to memory of 1432	2940	cmd.exe	37
PID 2940 wrote to memory of 1432	2940	cmd.exe	37
PID 2940 wrote to memory of 1432	2940	cmd.exe	37
PID 2940 wrote to memory of 1432	2940	cmd.exe	37
PID 1512 wrote to memory of 2092	1512	cmd.exe	36
PID 1512 wrote to memory of 2092	1512	cmd.exe	36
PID 1512 wrote to memory of 2092	1512	cmd.exe	36
PID 1512 wrote to memory of 2092	1512	cmd.exe	36
PID 2908 wrote to memory of 1552	2908	cmd.exe	38
PID 2908 wrote to memory of 1552	2908	cmd.exe	38
PID 2908 wrote to memory of 1552	2908	cmd.exe	38
PID 2908 wrote to memory of 1552	2908	cmd.exe	38
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39
PID 2328 wrote to memory of 2108	2328	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	39

C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
"C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
  C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-264077997-199365141-898621884-1000\0f5007522459c86e95ffcc62f32308f1_f28ecae2-865f-4060-84c2-613a33c8d0fd

Filesize
1KB

MD5
3e6b655239c678ebb07e01a8b6c0d595

SHA1
ff814c35f72584dba6f4f4bb4adfbe0645cb3a78

SHA256
9781631edc33066ff36414a07f1862b5bb270c7dc08b79c27917a12ee1bf3fbc

SHA512
527edc86574e60500bccfa214231dab3b7799954893ca84a1d6156d1a3cd838f82fd115fa13785ce7e9e4d6ed3bd2dd5dcacb0574c1e3d939b0e51b411a7af0a

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Filesize
368KB

MD5
362066c84500cbdd1a11ab6269eb58cb

SHA1
5e8f26c150d985ee7605c6adaad3009fb1c48a48

SHA256
6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

SHA512
4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

Download Submit
\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Filesize
368KB

MD5
362066c84500cbdd1a11ab6269eb58cb

SHA1
5e8f26c150d985ee7605c6adaad3009fb1c48a48

SHA256
6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

SHA512
4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

Download Submit
memory/1432-76-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/1432-77-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2108-69-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2108-78-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2168-61-0x0000000000140000-0x0000000000169000-memory.dmp

Filesize
164KB

Download
memory/2328-64-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2328-73-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download