trickbot | 3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f

Analysis

max time kernel
70s
max time network
17s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
Size

368KB
MD5

4bb384ef166aa19a6a08f22accccca8e
SHA1

ef112992ffaf5b43e4a0235c5f3a7562c4fb6a85
SHA256

3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f
SHA512

47bf71ac953348888fbdcd424252145c1263cce65f01ed6a8f74284455400d02c78e9841a6a787076f26b39a2b04611723f8faa2f77f77fd30f9c4cc95d21206
SSDEEP

6144:Ko5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qM:KmSuOcHmnYhrDMTrban4qM

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1068-1-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/1068-7-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/2364-10-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/2364-20-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
1688	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2584	sc.exe
2956	sc.exe
2516	sc.exe
2644	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
2508	powershell.exe
2984	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeTcbPrivilege	1688	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1660	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	28
PID 1068 wrote to memory of 1660	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	28
PID 1068 wrote to memory of 1660	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	28
PID 1068 wrote to memory of 1660	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	28
PID 1068 wrote to memory of 1484	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	29
PID 1068 wrote to memory of 1484	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	29
PID 1068 wrote to memory of 1484	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	29
PID 1068 wrote to memory of 1484	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	29
PID 1068 wrote to memory of 2376	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	31
PID 1068 wrote to memory of 2376	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	31
PID 1068 wrote to memory of 2376	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	31
PID 1068 wrote to memory of 2376	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	31
PID 1068 wrote to memory of 2364	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	34
PID 1068 wrote to memory of 2364	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	34
PID 1068 wrote to memory of 2364	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	34
PID 1068 wrote to memory of 2364	1068	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	34
PID 1660 wrote to memory of 2956	1660	cmd.exe	35
PID 1660 wrote to memory of 2956	1660	cmd.exe	35
PID 1660 wrote to memory of 2956	1660	cmd.exe	35
PID 1660 wrote to memory of 2956	1660	cmd.exe	35
PID 2376 wrote to memory of 2984	2376	cmd.exe	36
PID 2376 wrote to memory of 2984	2376	cmd.exe	36
PID 2376 wrote to memory of 2984	2376	cmd.exe	36
PID 2376 wrote to memory of 2984	2376	cmd.exe	36
PID 1484 wrote to memory of 2584	1484	cmd.exe	37
PID 1484 wrote to memory of 2584	1484	cmd.exe	37
PID 1484 wrote to memory of 2584	1484	cmd.exe	37
PID 1484 wrote to memory of 2584	1484	cmd.exe	37
PID 2364 wrote to memory of 2684	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	38
PID 2364 wrote to memory of 2684	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	38
PID 2364 wrote to memory of 2684	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	38
PID 2364 wrote to memory of 2684	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	38
PID 2364 wrote to memory of 2688	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	39
PID 2364 wrote to memory of 2688	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	39
PID 2364 wrote to memory of 2688	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	39
PID 2364 wrote to memory of 2688	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	39
PID 2364 wrote to memory of 2740	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	42
PID 2364 wrote to memory of 2740	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	42
PID 2364 wrote to memory of 2740	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	42
PID 2364 wrote to memory of 2740	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	42
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2364 wrote to memory of 2732	2364	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	43
PID 2684 wrote to memory of 2516	2684	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
"C:\Users\Admin\AppData\Local\Temp\3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
  C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2732

C:\Windows\system32\taskeng.exe
taskeng.exe {A70D0D7E-5EE0-4137-8D9C-BF1524F46EF5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1256
- C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
  C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02

Filesize
1KB

MD5
f76f0f35ae9f2dbafcb01f73e342779c

SHA1
b54d2bf704a86646c8e697abe0606049dd02910a

SHA256
8d2cd3df927a341a8567d30aa719a5671fb0e01b2f0444e15f5831a39f3c77ea

SHA512
505aa8f2af35707ca8d0a905f516b43361c4958fa05ef9315d0c86360fe638a957444c545ca8cb940b462bf031314ffc5d411ad47797000930879889c92a122e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3d8012f2b8b8be6312beef98b624313b

SHA1
6f20e2818f76182773c54547ee0825d5f4324fac

SHA256
2deed29f2da1090be094631738deb2b8681cd18eadbb21766c24a39d773db9c8

SHA512
cf2699ea3d12fdc6458cda60d0000b4bc4868c8a2cba26ae4ad22a44c69a41e719ae9727e6836576f6484470b808abe7ff29372414d61bb099a4105f6459b15e

Download Submit
\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Filesize
368KB

MD5
4bb384ef166aa19a6a08f22accccca8e

SHA1
ef112992ffaf5b43e4a0235c5f3a7562c4fb6a85

SHA256
3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f

SHA512
47bf71ac953348888fbdcd424252145c1263cce65f01ed6a8f74284455400d02c78e9841a6a787076f26b39a2b04611723f8faa2f77f77fd30f9c4cc95d21206

Download Submit
memory/1068-1-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1068-7-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2364-10-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2364-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2364-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2364-20-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2732-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2732-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download