trickbot | b6753536729e53c5d053e48e703aa934cdd32a8b6cdc8aca9e03f6fd49929098

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e93e0d0ec6513e1435f05c466752990N.exe
Size

368KB
MD5

3e93e0d0ec6513e1435f05c466752990
SHA1

b9fdaaf18942b14f80f3d34616c3fdec7d317df9
SHA256

b6753536729e53c5d053e48e703aa934cdd32a8b6cdc8aca9e03f6fd49929098
SHA512

623bc9e604870e36636e5f3afcfe683c340a36c9e2fd8b84347ea7fd857ea8cb9166afc4200ccaa384712869689058d52c71873b5df5c4d782cb8718941843f8
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qM:emSuOcHmnYhrDMTrban4qM

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2520-1-0x0000000000C50000-0x0000000000C79000-memory.dmp	trickbot_loader32
behavioral2/memory/2520-6-0x0000000000C50000-0x0000000000C79000-memory.dmp	trickbot_loader32
behavioral2/memory/1608-9-0x0000000001370000-0x0000000001399000-memory.dmp	trickbot_loader32
behavioral2/memory/1608-24-0x0000000001370000-0x0000000001399000-memory.dmp	trickbot_loader32
behavioral2/memory/2976-28-0x0000000000940000-0x0000000000969000-memory.dmp	trickbot_loader32
behavioral2/memory/2976-42-0x0000000000940000-0x0000000000969000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
1608	3e93e0d0ec7613e1436f06c477862990N.exe
2976	3e93e0d0ec7613e1436f06c477862990N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2976	3e93e0d0ec7613e1436f06c477862990N.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1608	2520	3e93e0d0ec6513e1435f05c466752990N.exe	83
PID 2520 wrote to memory of 1608	2520	3e93e0d0ec6513e1435f05c466752990N.exe	83
PID 2520 wrote to memory of 1608	2520	3e93e0d0ec6513e1435f05c466752990N.exe	83
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 1608 wrote to memory of 1672	1608	3e93e0d0ec7613e1436f06c477862990N.exe	85
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100
PID 2976 wrote to memory of 1580	2976	3e93e0d0ec7613e1436f06c477862990N.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e93e0d0ec6513e1435f05c466752990N.exe
"C:\Users\Admin\AppData\Local\Temp\3e93e0d0ec6513e1435f05c466752990N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Roaming\WNetval\3e93e0d0ec7613e1436f06c477862990N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\3e93e0d0ec7613e1436f06c477862990N.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1672

C:\Users\Admin\AppData\Roaming\WNetval\3e93e0d0ec7613e1436f06c477862990N.exe
C:\Users\Admin\AppData\Roaming\WNetval\3e93e0d0ec7613e1436f06c477862990N.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1750093773-264148664-1320403265-1000\0f5007522459c86e95ffcc62f32308f1_46967d70-72aa-405b-b21a-7603bc5aaaad

Filesize
1KB

MD5
eb91186e18ad1f600027cc421d9904cc

SHA1
41fec50a312a3aa549c71b509d034fe082c63d69

SHA256
c9e669ff7158313c5b2396e4d9322d114c9fde8add1cf3e99a4d2a3bc4267e41

SHA512
a37d0c711a7a5685292c85ca81600d4bfaeb5369eb265696cd95dd1ca5c8e21622ac73c3d10c3ebb23218c21cae5832223a57669019cedb7919c688baf964c62

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\3e93e0d0ec7613e1436f06c477862990N.exe

Filesize
368KB

MD5
3e93e0d0ec6513e1435f05c466752990

SHA1
b9fdaaf18942b14f80f3d34616c3fdec7d317df9

SHA256
b6753536729e53c5d053e48e703aa934cdd32a8b6cdc8aca9e03f6fd49929098

SHA512
623bc9e604870e36636e5f3afcfe683c340a36c9e2fd8b84347ea7fd857ea8cb9166afc4200ccaa384712869689058d52c71873b5df5c4d782cb8718941843f8

Download Submit
memory/1580-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1608-20-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1608-22-0x0000000001620000-0x00000000016DE000-memory.dmp

Filesize
760KB

Download
memory/1608-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1608-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1608-23-0x0000000003240000-0x0000000003509000-memory.dmp

Filesize
2.8MB

Download
memory/1608-9-0x0000000001370000-0x0000000001399000-memory.dmp

Filesize
164KB

Download
memory/1608-24-0x0000000001370000-0x0000000001399000-memory.dmp

Filesize
164KB

Download
memory/1672-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1672-21-0x0000022C81270000-0x0000022C81271000-memory.dmp

Filesize
4KB

Download
memory/1672-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2520-1-0x0000000000C50000-0x0000000000C79000-memory.dmp

Filesize
164KB

Download
memory/2520-6-0x0000000000C50000-0x0000000000C79000-memory.dmp

Filesize
164KB

Download
memory/2976-28-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/2976-42-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/2976-41-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2976-39-0x0000000000D70000-0x0000000000E2E000-memory.dmp

Filesize
760KB

Download
memory/2976-40-0x00000000016F0000-0x00000000019B9000-memory.dmp

Filesize
2.8MB

Download