trickbot | 54f7bfe1a0967f4c2f4582d2b3327809bd817a4a556245ad9ba9124404f4e079

Analysis

max time kernel
112s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe
Size

368KB
MD5

52e7d8bb9f23beb33fbf502868016210
SHA1

8ba82dc7331cc1df8462d35917bde3320baa8db2
SHA256

54f7bfe1a0967f4c2f4582d2b3327809bd817a4a556245ad9ba9124404f4e079
SHA512

ae12695e127c46130e030a6acd7f3b4c09c031bed64e56cb689910b1a2b1e51d9aac9ff8addee74ab4e04babcca254b7752c9fda84a4123be20c3341f8d8a6c1
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qh:emSuOcHmnYhrDMTrban4qh

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2804-1-0x0000000000CE0000-0x0000000000D09000-memory.dmp	trickbot_loader32
behavioral2/memory/2804-6-0x0000000000CE0000-0x0000000000D09000-memory.dmp	trickbot_loader32
behavioral2/memory/3988-9-0x0000000000DA0000-0x0000000000DC9000-memory.dmp	trickbot_loader32
behavioral2/memory/3988-22-0x0000000000DA0000-0x0000000000DC9000-memory.dmp	trickbot_loader32
behavioral2/memory/3548-27-0x0000000000F30000-0x0000000000F59000-memory.dmp	trickbot_loader32
behavioral2/memory/3548-41-0x0000000000F30000-0x0000000000F59000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe
3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3988	2804	52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe	82
PID 2804 wrote to memory of 3988	2804	52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe	82
PID 2804 wrote to memory of 3988	2804	52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe	82
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3988 wrote to memory of 3472	3988	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	83
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97
PID 3548 wrote to memory of 1808	3548	62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52e7d8bb9f23beb33fbf502868016210_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Roaming\WNetval\62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WNetval\62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3472

C:\Users\Admin\AppData\Roaming\WNetval\62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WNetval\62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4018855536-2201274732-320770143-1000\0f5007522459c86e95ffcc62f32308f1_4d0966de-9ba4-4ee9-b282-eaf9cf9c9160

Filesize
1KB

MD5
c92f7a9dcdba44807e2e9a42c9c0ec11

SHA1
08628f7428fa4005fd0fd4ef806b8a1639eb58f1

SHA256
68f6cbd4081999a90c44bde734f893954ad09ff5bcb9539311a16b6d0284e651

SHA512
a531763b6ddc413dfc98bb0d86eedeff2f53cde9ba39c0dab9e8a5cb56ed3c71dfca3e8753bec092a7da7729083e93796d6401ed87d8bbbfd30199f4b3a5a2e0

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\62e8d9bb9f23beb33fbf602979017210_NeikiAnalytict.exe

Filesize
368KB

MD5
52e7d8bb9f23beb33fbf502868016210

SHA1
8ba82dc7331cc1df8462d35917bde3320baa8db2

SHA256
54f7bfe1a0967f4c2f4582d2b3327809bd817a4a556245ad9ba9124404f4e079

SHA512
ae12695e127c46130e030a6acd7f3b4c09c031bed64e56cb689910b1a2b1e51d9aac9ff8addee74ab4e04babcca254b7752c9fda84a4123be20c3341f8d8a6c1

Download Submit
memory/1808-43-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2804-6-0x0000000000CE0000-0x0000000000D09000-memory.dmp

Filesize
164KB

Download
memory/2804-1-0x0000000000CE0000-0x0000000000D09000-memory.dmp

Filesize
164KB

Download
memory/3472-23-0x0000015C3C6C0000-0x0000015C3C6C1000-memory.dmp

Filesize
4KB

Download
memory/3472-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3548-38-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/3548-27-0x0000000000F30000-0x0000000000F59000-memory.dmp

Filesize
164KB

Download
memory/3548-39-0x0000000001BB0000-0x0000000001C6E000-memory.dmp

Filesize
760KB

Download
memory/3548-41-0x0000000000F30000-0x0000000000F59000-memory.dmp

Filesize
164KB

Download
memory/3548-40-0x0000000001C70000-0x0000000001F39000-memory.dmp

Filesize
2.8MB

Download
memory/3988-22-0x0000000000DA0000-0x0000000000DC9000-memory.dmp

Filesize
164KB

Download
memory/3988-21-0x0000000002AC0000-0x0000000002D89000-memory.dmp

Filesize
2.8MB

Download
memory/3988-20-0x0000000000E50000-0x0000000000F0E000-memory.dmp

Filesize
760KB

Download
memory/3988-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3988-9-0x0000000000DA0000-0x0000000000DC9000-memory.dmp

Filesize
164KB

Download