trickbot | 0923b78ac186b8160a285213a0aa3452254bb0bddccf2797062a0533c825c8f8

Analysis

max time kernel
70s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
Size

368KB
MD5

47f1d885fac2c01cce8ba63245fc3f7c
SHA1

bf1c2aa2d3285f6632a10d56e65c0281032f7a0c
SHA256

a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e
SHA512

a3967d47ef3c9e4e4352055a5132ed4c8b1d4b5e4ce874a688eb780c1f213a36ff2a9ef44911a7c100af4f520c1003d0c07eb92aa73e551cf7d95a97f29a7719
SSDEEP

6144:Fo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:FmSuOcHmnYhrDMTrban4q6

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2548-1-0x0000000000100000-0x0000000000129000-memory.dmp	trickbot_loader32
behavioral1/memory/2548-6-0x0000000000100000-0x0000000000129000-memory.dmp	trickbot_loader32
behavioral1/memory/1924-10-0x0000000000100000-0x0000000000160000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
3020	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3044	sc.exe
2764	sc.exe
3056	sc.exe
2692	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
2480	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeTcbPrivilege	3020	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1360	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	29
PID 2548 wrote to memory of 1360	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	29
PID 2548 wrote to memory of 1360	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	29
PID 2548 wrote to memory of 1360	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	29
PID 2548 wrote to memory of 1280	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	30
PID 2548 wrote to memory of 1280	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	30
PID 2548 wrote to memory of 1280	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	30
PID 2548 wrote to memory of 1280	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	30
PID 2548 wrote to memory of 2020	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	31
PID 2548 wrote to memory of 2020	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	31
PID 2548 wrote to memory of 2020	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	31
PID 2548 wrote to memory of 2020	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	31
PID 2548 wrote to memory of 1924	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	35
PID 2548 wrote to memory of 1924	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	35
PID 2548 wrote to memory of 1924	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	35
PID 2548 wrote to memory of 1924	2548	a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe	35
PID 1280 wrote to memory of 3044	1280	cmd.exe	37
PID 1280 wrote to memory of 3044	1280	cmd.exe	37
PID 1280 wrote to memory of 3044	1280	cmd.exe	37
PID 1280 wrote to memory of 3044	1280	cmd.exe	37
PID 1360 wrote to memory of 2764	1360	cmd.exe	36
PID 1360 wrote to memory of 2764	1360	cmd.exe	36
PID 1360 wrote to memory of 2764	1360	cmd.exe	36
PID 1360 wrote to memory of 2764	1360	cmd.exe	36
PID 2020 wrote to memory of 2668	2020	cmd.exe	38
PID 2020 wrote to memory of 2668	2020	cmd.exe	38
PID 2020 wrote to memory of 2668	2020	cmd.exe	38
PID 2020 wrote to memory of 2668	2020	cmd.exe	38
PID 1924 wrote to memory of 2052	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	39
PID 1924 wrote to memory of 2052	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	39
PID 1924 wrote to memory of 2052	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	39
PID 1924 wrote to memory of 2052	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	39
PID 1924 wrote to memory of 2404	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	40
PID 1924 wrote to memory of 2404	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	40
PID 1924 wrote to memory of 2404	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	40
PID 1924 wrote to memory of 2404	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	40
PID 1924 wrote to memory of 2836	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	43
PID 1924 wrote to memory of 2836	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	43
PID 1924 wrote to memory of 2836	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	43
PID 1924 wrote to memory of 2836	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	43
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 1924 wrote to memory of 2832	1924	a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe	44
PID 2404 wrote to memory of 3056	2404	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe
"C:\Users\Admin\AppData\Local\Temp\a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
  C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {4F42D5C9-7EC0-47CF-8F35-F262D6A7FA2A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2752
- C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
  C:\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172136094-3310281978-782691160-1000\0f5007522459c86e95ffcc62f32308f1_ad67a936-7f42-4f72-a93a-f5bcf669d37e

Filesize
1KB

MD5
aa576e4b89310eb6e7391962e7487519

SHA1
09129db3eedb8d7458b65c2420e9f56acebeb16b

SHA256
f610d70a2493e4a4d4a17be419e99eebed1f02b15430b35212972d92059746f3

SHA512
b0b1d2282c0178cff2ebfa904965b2a4bd02a75e538631cd0d4a88d9cf9b2fe536bbe8662680d5688e98fe25348f9344f044b14c5caa874a6a5ecf4aa3a5ad19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e03702d4ad471de0e5a1377ef98c412c

SHA1
6d6e18d659b74c7b9d5170fda6e1daa196c8f656

SHA256
f0141b4b42c342f3ee637ddbbf08b198e1d67a1527800374cd2d2514b1a3bd01

SHA512
14eed6b98527db91207096e9c68335b39dba1de18f2a71e207ee6ae735870e0244e6c4ead691e5df1b4696cc34d5acbae970f3e45e9b8166286eb516449f4ae8

Download Submit
\Users\Admin\AppData\Roaming\WNetval\a7ca9893cd3827863c9b79a4ebc0cc0a6d703920efd7de823209e7aacbff074e.exe

Filesize
368KB

MD5
47f1d885fac2c01cce8ba63245fc3f7c

SHA1
bf1c2aa2d3285f6632a10d56e65c0281032f7a0c

SHA256
a6ca9783cd3726753c9b69a4ebc0cc0a5d603920efd6de723209e6aacbff064e

SHA512
a3967d47ef3c9e4e4352055a5132ed4c8b1d4b5e4ce874a688eb780c1f213a36ff2a9ef44911a7c100af4f520c1003d0c07eb92aa73e551cf7d95a97f29a7719

Download Submit
memory/1924-10-0x0000000000100000-0x0000000000160000-memory.dmp

Filesize
384KB

Download
memory/1924-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1924-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2548-1-0x0000000000100000-0x0000000000129000-memory.dmp

Filesize
164KB

Download
memory/2548-6-0x0000000000100000-0x0000000000129000-memory.dmp

Filesize
164KB

Download
memory/2832-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2832-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download