trickbot | 9608129701213f7565040f385e8c263d0daaa01ce31dcc7f95a7584c7bf4ad44

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe
Size

1.3MB
MD5

ab514dc1ce046921ffd95c5c7797b496
SHA1

4899afe80086a97c1825b37ae34e55af0945042b
SHA256

b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4
SHA512

171e9c2c86f3b899547513ce1e6a1aca827158975d587af103262f2610838cf893f7755d14d04b6bbcb17be290273331c35cb285315c224f2a92f9f22e6b9c7c
SSDEEP

24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90I8Yls:OQLy3Z5ecmCMqhnllLNgIHjbiIb9O

Score

10^/10

trickbot banker defense_evasion discovery persistence trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 3 IoCs

pid	Process
5088	Tua.com
4380	Tua.com
2656	Tua.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3600	cmd.exe
940	certutil.exe
4640	certutil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 2656	4380	Tua.com	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	2656	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tua.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tua.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tua.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	wermgr.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3656	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	85
PID 4740 wrote to memory of 3656	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	85
PID 4740 wrote to memory of 3656	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	85
PID 4740 wrote to memory of 3600	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	87
PID 4740 wrote to memory of 3600	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	87
PID 4740 wrote to memory of 3600	4740	b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe	87
PID 3600 wrote to memory of 940	3600	cmd.exe	89
PID 3600 wrote to memory of 940	3600	cmd.exe	89
PID 3600 wrote to memory of 940	3600	cmd.exe	89
PID 3600 wrote to memory of 3736	3600	cmd.exe	90
PID 3600 wrote to memory of 3736	3600	cmd.exe	90
PID 3600 wrote to memory of 3736	3600	cmd.exe	90
PID 3736 wrote to memory of 3300	3736	cmd.exe	91
PID 3736 wrote to memory of 3300	3736	cmd.exe	91
PID 3736 wrote to memory of 3300	3736	cmd.exe	91
PID 3736 wrote to memory of 4640	3736	cmd.exe	92
PID 3736 wrote to memory of 4640	3736	cmd.exe	92
PID 3736 wrote to memory of 4640	3736	cmd.exe	92
PID 3736 wrote to memory of 5088	3736	cmd.exe	93
PID 3736 wrote to memory of 5088	3736	cmd.exe	93
PID 3736 wrote to memory of 5088	3736	cmd.exe	93
PID 3736 wrote to memory of 8	3736	cmd.exe	94
PID 3736 wrote to memory of 8	3736	cmd.exe	94
PID 3736 wrote to memory of 8	3736	cmd.exe	94
PID 5088 wrote to memory of 4380	5088	Tua.com	95
PID 5088 wrote to memory of 4380	5088	Tua.com	95
PID 5088 wrote to memory of 4380	5088	Tua.com	95
PID 4380 wrote to memory of 2656	4380	Tua.com	96
PID 4380 wrote to memory of 2656	4380	Tua.com	96
PID 4380 wrote to memory of 2656	4380	Tua.com	96
PID 4380 wrote to memory of 2656	4380	Tua.com	96
PID 4380 wrote to memory of 2656	4380	Tua.com	96
PID 2656 wrote to memory of 1700	2656	Tua.com	100
PID 2656 wrote to memory of 1700	2656	Tua.com	100
PID 2656 wrote to memory of 2888	2656	Tua.com	101
PID 2656 wrote to memory of 2888	2656	Tua.com	101
PID 2656 wrote to memory of 2888	2656	Tua.com	101
PID 2656 wrote to memory of 2888	2656	Tua.com	101

C:\Users\Admin\AppData\Local\Temp\b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe
"C:\Users\Admin\AppData\Local\Temp\b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fhlfszSNj
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c certutil -decode Brucia.xls Suo.dot & cmd < Suo.dot
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode Brucia.xls Suo.dot
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^lJeUmwiXzEXbPwzCIHvkQFe$" Estremita.adt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3300
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode Ore.ini Z
      4⤵
      Deobfuscate/Decode Files or Information
      System Location Discovery: System Language Discovery
      PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
      Tua.com Z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com Z
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        7⤵
        
        PID:1700
        
        C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 428
        7⤵
        Program crash
        
        PID:4960
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2656 -ip 2656
1⤵
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Appare.sys

Filesize
235KB

MD5
f24168a8978d6f37d25752f05efdf8c2

SHA1
f0680ec42311212cef68370a83f4d62c7966099e

SHA256
08459331eceb39b60a5b166ee3322767c157292dc108df54933227c6bd500b28

SHA512
1d95ceeb4f861eb36b23145dc39db42bd8960f721dc6632428e2243446c1e7b02a39488c30ecaf28757b857ef78cf842ec99e11fa00380b766126fdf6134c724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brucia.xls

Filesize
41KB

MD5
82d90d91a120a19919dbc524880a2eae

SHA1
b86fb4b724d11d5c412e04251e0cd830755ef007

SHA256
875a4cdc9fbd55810dd252f8e35512fffb892a79e517411d1fcbd917685efc8a

SHA512
1dba871074f97c68fe0c49bab166f801bcfad153be12e346f9baf39b9b1642d2db4b6255da5153ebf2994ba4c7d722011b98c4b053ece8313102995fa4e16440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Estremita.adt

Filesize
921KB

MD5
8253b4f0646e3c127d146110f889215e

SHA1
64a92b27c3762f2b0bc6af67c1de6e006c1b820d

SHA256
08607493aab770b45ffdb7ffe5c1f3a5e5fdba0b55d03251f7117ee10f4d67ad

SHA512
b6013ef36f296c50ab1a1b15b27fc8b5ba840d66279fcf5eab396c1fc5058760c6f08626a1119790bccd794fad1e2eb7cb764245408ade1838926a0e4e3d5f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.ini

Filesize
881KB

MD5
6c2dfee26bbca7045c465d9c0414b652

SHA1
58ed46c2dc00097521d0db0819541d9e4909deb8

SHA256
eeb47e521e0facfb217aef0e9c1cb57e147340b8e1c3d8e4acdff3e04dad2eef

SHA512
8ddc4974e35b2fdf35556b28e4c49f3290308f537ce0f50ee6ddcd466abc8a1908c28905ac07a721f0b75f514a1b503c4464267e7bc51107a459f46c4ee93ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suo.dot

Filesize
29KB

MD5
9d88809cceb6dab6ed296d8bef0dc0d5

SHA1
a31e613888ca0cb3fd77d208c8621c05d2828ab9

SHA256
74e36bf70290030e791e981aca49b1cc3e4e96aa12949add2d254cad3a095d37

SHA512
84efe76ccc711af625a5f6a8fd3fb92dffda62b554f44df9ff9b65152a461f1c54659dca68debef324512d97d32b677e3fe6b6210f4bbec25a1cec02c657ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z

Filesize
640KB

MD5
89fbfd3b8f82003de0ced3fd68406bdd

SHA1
57b2cc29133732e93ed2cf3853476dfecc8d007c

SHA256
f091e7d727e58c93bdb06ffceca3ee720a29768ff9b175c35a978f68777d5388

SHA512
8aa61d225a338733fa81f7abd5c288ff14a02669393c8a2f369712da614ff582d4144c6920bb36b13a64de583918f7c5524f8f2d738291dcf1ca8c43df98beb3

Download Submit
memory/2656-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-94-0x000001D64F8F0000-0x000001D64F8F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads