trickbot | d2ed27f9234bf004e61a952f667c553092777e0fd2b760dc52f0d0e24ed04abd

Analysis

max time kernel
136s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9037592ea47a15eaa9db8875f734fea0_NEIKI.exe
Size

786KB
MD5

9037592ea47a15eaa9db8875f734fea0
SHA1

a67a80af69b0e1ff5881e14ba50613beb8df3d16
SHA256

d2ed27f9234bf004e61a952f667c553092777e0fd2b760dc52f0d0e24ed04abd
SHA512

950b416ffd7f7f5dcee1e9ee506f20bd8e123c9c72d58ff6018ddfdbf35dfc1b53b5eda552829f50546b9549b3e7f6e9bc8c7b31e585ddae94cffe703d7d7a07
SSDEEP

12288:zJB0lh5aILwtFPCfmAUt3r4DwpRrKO1YYVhiiNdvrsymrac+:zQ5aILMCfmAUhrSO1YNWdvKraD

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3600-15-0x0000000002AB0000-0x0000000002AD9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5056	3360	WerFault.exe	94

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
Token: SeTcbPrivilege	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3600	9037592ea47a15eaa9db8875f734fea0_NEIKI.exe
3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3796	3600	9037592ea47a15eaa9db8875f734fea0_NEIKI.exe	88
PID 3600 wrote to memory of 3796	3600	9037592ea47a15eaa9db8875f734fea0_NEIKI.exe	88
PID 3600 wrote to memory of 3796	3600	9037592ea47a15eaa9db8875f734fea0_NEIKI.exe	88
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3796 wrote to memory of 5028	3796	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	90
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 3360 wrote to memory of 2204	3360	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	95
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100
PID 1392 wrote to memory of 3368	1392	9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9037592ea47a15eaa9db8875f734fea0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9037592ea47a15eaa9db8875f734fea0_NEIKI.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:1420

C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 728
  2⤵
  - Program crash
  PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3360 -ip 3360
1⤵
PID:1216

C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\9038692ea48a16eaa9db9986f834fea0_NFJLJ.exe

Filesize
786KB

MD5
9037592ea47a15eaa9db8875f734fea0

SHA1
a67a80af69b0e1ff5881e14ba50613beb8df3d16

SHA256
d2ed27f9234bf004e61a952f667c553092777e0fd2b760dc52f0d0e24ed04abd

SHA512
950b416ffd7f7f5dcee1e9ee506f20bd8e123c9c72d58ff6018ddfdbf35dfc1b53b5eda552829f50546b9549b3e7f6e9bc8c7b31e585ddae94cffe703d7d7a07

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
30KB

MD5
159e32f866a1c2abb57f472056851866

SHA1
229173fa6f2faa45f974d1f4d624d8f84d829dc5

SHA256
8d8832c928be723f95bd01ecfbbfae71642d248335fe78583d5e7edcc67fc964

SHA512
a9b03d53a6ea397704d0f505fe7cd71f698e5dc9e2fbca72186268a29200fabe030ee857e32a85202dc43ebde94857fb3496f04649e2d55529f87828b60b7428

Download Submit
memory/3360-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3360-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3360-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3600-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3600-13-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-15-0x0000000002AB0000-0x0000000002AD9000-memory.dmp

Filesize
164KB

Download
memory/3600-12-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-11-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-10-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-8-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-7-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-6-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-5-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-4-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-14-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3600-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3796-34-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-36-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/3796-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/3796-28-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3796-29-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-30-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-31-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-32-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-33-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-26-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-35-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-27-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3796-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3796-37-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/5028-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/5028-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/5028-51-0x00000283EBA50000-0x00000283EBA51000-memory.dmp

Filesize
4KB

Download