trickbot | a8598ae371984cf353fb785fd60a2a6794832fc0047f8d4179a0ec863324afe5

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe
Size

1023KB
MD5

97ae8657494d62ab8ac69136cc9de610
SHA1

4d65703c42cc4c56633a35e8452dbc3412813095
SHA256

a8598ae371984cf353fb785fd60a2a6794832fc0047f8d4179a0ec863324afe5
SHA512

4602a3022feabd52faf5d262a1d6d15e9f1fc9716c46dc8b4f67edbca430c171968a211b3c48453144a096c48e48a615cff0d0771336fc25bbe2a722c2395444
SSDEEP

24576:zQ5aILMCfmAUhrSO1YNWdvCzMPqdUD6dNDmwN7:E5aIwC+AUBsWsXH1

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2816-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

pid	process
4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
Token: SeTcbPrivilege	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

pid	process
2816	97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe
4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2816 wrote to memory of 4080	2816	97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
PID 2816 wrote to memory of 4080	2816	97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
PID 2816 wrote to memory of 4080	2816	97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 4080 wrote to memory of 4084	4080	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1676 wrote to memory of 4644	1676	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe
PID 1488 wrote to memory of 2476	1488	98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\97ae8657494d62ab8ac69136cc9de610_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4084

C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4644

C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\98ae9768494d72ab9ac79137cc9de710_NeikiAnalytict.exe

Filesize
1023KB

MD5
97ae8657494d62ab8ac69136cc9de610

SHA1
4d65703c42cc4c56633a35e8452dbc3412813095

SHA256
a8598ae371984cf353fb785fd60a2a6794832fc0047f8d4179a0ec863324afe5

SHA512
4602a3022feabd52faf5d262a1d6d15e9f1fc9716c46dc8b4f67edbca430c171968a211b3c48453144a096c48e48a615cff0d0771336fc25bbe2a722c2395444

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
35KB

MD5
f0298aefef59a76d20986eaceeebf7f3

SHA1
615ab4e4a56b7f409185fe3b8389910493776286

SHA256
8b89ae8c13c14cdda890740a00796c84d720443507fb9f37b49e8ce455e5c231

SHA512
0d51bf2bebd637df9e73ea383d78b031f52e39f0906d1669dbb955ba77717126ccf1dd4084427273571a7f375c199e50d7e8b5966f5253cada26d1ba41eef629

Download Submit
memory/1676-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1676-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1676-59-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-60-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-61-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-62-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-63-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-64-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-65-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-66-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-67-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-68-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-69-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1676-58-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2816-2-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2816-14-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-13-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-12-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-11-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-10-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-8-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-6-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-5-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-3-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-7-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2816-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/2816-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4080-36-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-34-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-31-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4080-30-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4080-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4080-32-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-33-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-51-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4080-35-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-37-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-26-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-27-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-28-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4080-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4080-29-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4084-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4084-52-0x000001CF80670000-0x000001CF80671000-memory.dmp

Filesize
4KB

Download