trickbot | 34f04a6643b34eed047f87c8a06a978005ca480471023874e1ab250a3d123240

Analysis

max time kernel
139s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b42883e8ae7314d61016f880859a890_NEIKI.exe
Size

765KB
MD5

8b42883e8ae7314d61016f880859a890
SHA1

c4482154f007ebe4d89767873976a20ef742111e
SHA256

34f04a6643b34eed047f87c8a06a978005ca480471023874e1ab250a3d123240
SHA512

4dc1a8adc70f7d0acb53fcfa246a4012d9bcf3ec4d0d083bed3533cb328334b6d03d0bfb46382feade9cbd3c78c83e43fc15d144507889c6992d2866cb61caac
SSDEEP

12288:zJB0lh5aILwtFPCfmAUt3r4DwpRrKO1YYVhiiNdvrsymrLL:zQ5aILMCfmAUhrSO1YNWdvKr3

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1908-15-0x0000000002FF0000-0x0000000003019000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe
1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe
2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe
Token: SeTcbPrivilege	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1908	8b42883e8ae7314d61016f880859a890_NEIKI.exe
4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe
1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe
2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4744	1908	8b42883e8ae7314d61016f880859a890_NEIKI.exe	84
PID 1908 wrote to memory of 4744	1908	8b42883e8ae7314d61016f880859a890_NEIKI.exe	84
PID 1908 wrote to memory of 4744	1908	8b42883e8ae7314d61016f880859a890_NEIKI.exe	84
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 4744 wrote to memory of 4764	4744	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	85
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 1604 wrote to memory of 4464	1604	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	101
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110
PID 2004 wrote to memory of 2136	2004	9b42993e9ae8314d71017f990969a990_NFJLJ.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8b42883e8ae7314d61016f880859a890_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8b42883e8ae7314d61016f880859a890_NEIKI.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4764

C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4464

C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\9b42993e9ae8314d71017f990969a990_NFJLJ.exe

Filesize
765KB

MD5
8b42883e8ae7314d61016f880859a890

SHA1
c4482154f007ebe4d89767873976a20ef742111e

SHA256
34f04a6643b34eed047f87c8a06a978005ca480471023874e1ab250a3d123240

SHA512
4dc1a8adc70f7d0acb53fcfa246a4012d9bcf3ec4d0d083bed3533cb328334b6d03d0bfb46382feade9cbd3c78c83e43fc15d144507889c6992d2866cb61caac

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
46KB

MD5
af0661ca3ccf598a0ad5945fbc19ae9d

SHA1
1be352a6b5bacb9fd69c3be22ef2185263cd8d21

SHA256
9ac7deb71b18ce7eecee1f277060204388e152254a219f7ea3b587cae82bf8d2

SHA512
7a61431f94a252ea1d0ced3fbbcaf999f2ca6382630e60bd8b73d31700d7a6fde173ba71b758b5a96340fa813914dbad752f469d02568432f5b75c7df9917591

Download Submit
memory/1604-65-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-62-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-66-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-69-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-68-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-67-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-61-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-63-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-58-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1604-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1604-64-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-59-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1604-60-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1908-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-9-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-12-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1908-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1908-15-0x0000000002FF0000-0x0000000003019000-memory.dmp

Filesize
164KB

Download
memory/1908-14-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-2-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-4-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4744-30-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-35-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-27-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-28-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-29-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-31-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-32-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-33-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-34-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-26-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-36-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-37-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4744-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4744-52-0x00000000031C0000-0x0000000003489000-memory.dmp

Filesize
2.8MB

Download
memory/4744-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4744-51-0x0000000003100000-0x00000000031BE000-memory.dmp

Filesize
760KB

Download
memory/4764-53-0x00000277F1E40000-0x00000277F1E41000-memory.dmp

Filesize
4KB

Download
memory/4764-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4764-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download