trickbot | 2f68f2ba07209c11769f12258949c6622b89c8188c2767b1e781e9ede461cd65

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe
Size

1014KB
MD5

3e1a4f5a28fb96d9596bca92ef13ca90
SHA1

ba5867e39835636174d6a129de8b48b0b2b17131
SHA256

2f68f2ba07209c11769f12258949c6622b89c8188c2767b1e781e9ede461cd65
SHA512

756265471b7ff97cbffaac0a2e32c67b9b22412c58e427723a7c9c3d202bc5b957593794b2735fac73c9afb64ab90bd9ee5808a833929c00e78d44761fe18266
SSDEEP

24576:zQ5aILMCfmAUhrSO1YNWdvCzMPqdUD6dNDmwO:E5aIwC+AUBsWsXHO

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/976-15-0x0000000002930000-0x0000000002959000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
Token: SeTcbPrivilege	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
976	3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe
3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3540	976	3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe	83
PID 976 wrote to memory of 3540	976	3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe	83
PID 976 wrote to memory of 3540	976	3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe	83
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 3540 wrote to memory of 2428	3540	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	84
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 4708 wrote to memory of 3540	4708	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	101
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110
PID 320 wrote to memory of 1700	320	3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e1a4f5a28fb96d9596bca92ef13ca90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2428

C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3540

C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3e1a4f6a29fb97d9697bca92ef13ca90_NeikiAnalytict.exe

Filesize
1014KB

MD5
3e1a4f5a28fb96d9596bca92ef13ca90

SHA1
ba5867e39835636174d6a129de8b48b0b2b17131

SHA256
2f68f2ba07209c11769f12258949c6622b89c8188c2767b1e781e9ede461cd65

SHA512
756265471b7ff97cbffaac0a2e32c67b9b22412c58e427723a7c9c3d202bc5b957593794b2735fac73c9afb64ab90bd9ee5808a833929c00e78d44761fe18266

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
51KB

MD5
1b2e2ff0644d09bc6e4e7152b67df629

SHA1
7b45a05d7be653754341395c43de7783da03c7a5

SHA256
5c43fc9c4567f07f87d7031a3d76d0ce1bf67de69f75156266109b37d3626c26

SHA512
4dc5c0762a4c06d2acde0a9c52977c0b29fcc41cf9758b61facb468b96a3ec46ca418ecf298c5e15a4cd0488bad6b01e94ca7f7b3a67be66395d2e0df938612a

Download Submit
memory/976-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-11-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-10-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-8-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-7-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-6-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-3-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-4-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-2-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-9-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-15-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download
memory/976-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/976-14-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/976-13-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/976-12-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2428-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2428-51-0x0000022E1C360000-0x0000022E1C361000-memory.dmp

Filesize
4KB

Download
memory/3540-26-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-29-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-28-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-27-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-37-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-36-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-35-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3540-34-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3540-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3540-33-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-32-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-31-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-30-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3540-52-0x00000000030B0000-0x000000000316E000-memory.dmp

Filesize
760KB

Download
memory/3540-53-0x0000000003170000-0x0000000003439000-memory.dmp

Filesize
2.8MB

Download
memory/4708-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4708-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4708-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download