trickbot | e31ace5602fa7c78e8a7c73efded326053a27ee8b94a868e3487c798803d8f3b

General

Target

7fb1de391d2e8956aab8a707ba7047b0N.exe
Size

368KB
MD5

7fb1de391d2e8956aab8a707ba7047b0
SHA1

b4596d683f948181068395159cf245d7faf5617a
SHA256

e31ace5602fa7c78e8a7c73efded326053a27ee8b94a868e3487c798803d8f3b
SHA512

32b7e4773585434eabc057f3af32c08726bf347bac1a3375b87cff22e1b8498b90821f918047778a7e22add83293dcc08d3ccdb8c74ae0a75616f1cd39153305
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q0:emSuOcHmnYhrDMTrban4q0

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2568-1-0x0000000000E90000-0x0000000000EB9000-memory.dmp	trickbot_loader32
behavioral2/memory/2568-8-0x0000000000E90000-0x0000000000EB9000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-9-0x0000000000D70000-0x0000000000D99000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-24-0x0000000000D70000-0x0000000000D99000-memory.dmp	trickbot_loader32
behavioral2/memory/2348-28-0x0000000000CA0000-0x0000000000CC9000-memory.dmp	trickbot_loader32
behavioral2/memory/2348-42-0x0000000000CA0000-0x0000000000CC9000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8fb1de391d2e9967aab9a808ba8048b0N.exe8fb1de391d2e9967aab9a808ba8048b0N.exe

pid process

3728 8fb1de391d2e9967aab9a808ba8048b0N.exe
2348 8fb1de391d2e9967aab9a808ba8048b0N.exe

pid	process
3728	8fb1de391d2e9967aab9a808ba8048b0N.exe
2348	8fb1de391d2e9967aab9a808ba8048b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7fb1de391d2e8956aab8a707ba7047b0N.exe8fb1de391d2e9967aab9a808ba8048b0N.exe8fb1de391d2e9967aab9a808ba8048b0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fb1de391d2e8956aab8a707ba7047b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fb1de391d2e9967aab9a808ba8048b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fb1de391d2e9967aab9a808ba8048b0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8fb1de391d2e9967aab9a808ba8048b0N.exe

description pid process

Token: SeTcbPrivilege 2348 8fb1de391d2e9967aab9a808ba8048b0N.exe

description	pid	process
Token: SeTcbPrivilege	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

7fb1de391d2e8956aab8a707ba7047b0N.exe8fb1de391d2e9967aab9a808ba8048b0N.exe8fb1de391d2e9967aab9a808ba8048b0N.exe

description	pid	process	target process
PID 2568 wrote to memory of 3728	2568	7fb1de391d2e8956aab8a707ba7047b0N.exe	8fb1de391d2e9967aab9a808ba8048b0N.exe
PID 2568 wrote to memory of 3728	2568	7fb1de391d2e8956aab8a707ba7047b0N.exe	8fb1de391d2e9967aab9a808ba8048b0N.exe
PID 2568 wrote to memory of 3728	2568	7fb1de391d2e8956aab8a707ba7047b0N.exe	8fb1de391d2e9967aab9a808ba8048b0N.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 3728 wrote to memory of 2172	3728	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe
PID 2348 wrote to memory of 1096	2348	8fb1de391d2e9967aab9a808ba8048b0N.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fb1de391d2e8956aab8a707ba7047b0N.exe
"C:\Users\Admin\AppData\Local\Temp\7fb1de391d2e8956aab8a707ba7047b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2172

C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe
C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
1KB

MD5
e75dcafc16c957cca26d59f2e356d701

SHA1
296e1bc7e890a9a66dacf69d5b74a1f8adf77a03

SHA256
cad27908dfff0b0c7c9c428f020cc0fb0e5f9f1cd75881ac8a2d9373be7404d5

SHA512
ec958d273939903ad5615507c2f4f6f3348c1ecf992c3ca02bd62fedd5f4f1e0b098698c61f0cc6f71fa6953ab1f6f46a9f8caefc0d312782b26d949d2647c8d

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\8fb1de391d2e9967aab9a808ba8048b0N.exe

Filesize
368KB

MD5
7fb1de391d2e8956aab8a707ba7047b0

SHA1
b4596d683f948181068395159cf245d7faf5617a

SHA256
e31ace5602fa7c78e8a7c73efded326053a27ee8b94a868e3487c798803d8f3b

SHA512
32b7e4773585434eabc057f3af32c08726bf347bac1a3375b87cff22e1b8498b90821f918047778a7e22add83293dcc08d3ccdb8c74ae0a75616f1cd39153305

Download Submit
memory/1096-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2172-21-0x000001DFDE200000-0x000001DFDE201000-memory.dmp

Filesize
4KB

Download
memory/2172-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2172-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2348-42-0x0000000000CA0000-0x0000000000CC9000-memory.dmp

Filesize
164KB

Download
memory/2348-41-0x0000000001990000-0x0000000001C59000-memory.dmp

Filesize
2.8MB

Download
memory/2348-28-0x0000000000CA0000-0x0000000000CC9000-memory.dmp

Filesize
164KB

Download
memory/2348-40-0x00000000018D0000-0x000000000198E000-memory.dmp

Filesize
760KB

Download
memory/2348-39-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/2568-8-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/3728-22-0x0000000002A30000-0x0000000002AEE000-memory.dmp

Filesize
760KB

Download
memory/3728-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3728-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3728-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3728-24-0x0000000000D70000-0x0000000000D99000-memory.dmp

Filesize
164KB

Download
memory/3728-23-0x0000000002AF0000-0x0000000002DB9000-memory.dmp

Filesize
2.8MB

Download
memory/3728-9-0x0000000000D70000-0x0000000000D99000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads