trickbot | 281c93612260e9df8b08adc72d0a4581e282ec70318efe3426ea952f06c8d694

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e942e1be0d6e30d7ebe60ca85a0b6590N.exe
Size

368KB
MD5

e942e1be0d6e30d7ebe60ca85a0b6590
SHA1

d072e0416a376226230e550acded01200a03d935
SHA256

281c93612260e9df8b08adc72d0a4581e282ec70318efe3426ea952f06c8d694
SHA512

9024ddc6e4eb3ff3d56fe99a27108c0b139bc3a190094726127290e236367bea76040386799030f67d713a65557fed81118c9be0a80de9f003604d03314e66b8
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qG:emSuOcHmnYhrDMTrban4qG

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2356-1-0x00000000001D0000-0x00000000001F9000-memory.dmp	trickbot_loader32
behavioral1/memory/2356-7-0x00000000001D0000-0x00000000001F9000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-10-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-20-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
1884	e942e1be0d7e30d8ebe70ca96a0b7690N.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
2624	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2204	sc.exe
2684	sc.exe
2240	sc.exe
2912	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e942e1be0d6e30d7ebe60ca85a0b6590N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe
2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe
2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe
2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe
2492	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeTcbPrivilege	1884	e942e1be0d7e30d8ebe70ca96a0b7690N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2408	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	30
PID 2356 wrote to memory of 2408	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	30
PID 2356 wrote to memory of 2408	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	30
PID 2356 wrote to memory of 2408	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	30
PID 2356 wrote to memory of 1728	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	31
PID 2356 wrote to memory of 1728	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	31
PID 2356 wrote to memory of 1728	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	31
PID 2356 wrote to memory of 1728	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	31
PID 2356 wrote to memory of 1876	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	32
PID 2356 wrote to memory of 1876	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	32
PID 2356 wrote to memory of 1876	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	32
PID 2356 wrote to memory of 1876	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	32
PID 2356 wrote to memory of 2516	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	34
PID 2356 wrote to memory of 2516	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	34
PID 2356 wrote to memory of 2516	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	34
PID 2356 wrote to memory of 2516	2356	e942e1be0d6e30d7ebe60ca85a0b6590N.exe	34
PID 1876 wrote to memory of 2492	1876	cmd.exe	39
PID 1876 wrote to memory of 2492	1876	cmd.exe	39
PID 1876 wrote to memory of 2492	1876	cmd.exe	39
PID 1876 wrote to memory of 2492	1876	cmd.exe	39
PID 1728 wrote to memory of 2684	1728	cmd.exe	37
PID 1728 wrote to memory of 2684	1728	cmd.exe	37
PID 1728 wrote to memory of 2684	1728	cmd.exe	37
PID 1728 wrote to memory of 2684	1728	cmd.exe	37
PID 2408 wrote to memory of 2204	2408	cmd.exe	38
PID 2408 wrote to memory of 2204	2408	cmd.exe	38
PID 2408 wrote to memory of 2204	2408	cmd.exe	38
PID 2408 wrote to memory of 2204	2408	cmd.exe	38
PID 2516 wrote to memory of 2236	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	40
PID 2516 wrote to memory of 2236	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	40
PID 2516 wrote to memory of 2236	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	40
PID 2516 wrote to memory of 2236	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	40
PID 2516 wrote to memory of 2732	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	41
PID 2516 wrote to memory of 2732	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	41
PID 2516 wrote to memory of 2732	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	41
PID 2516 wrote to memory of 2732	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	41
PID 2516 wrote to memory of 2820	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	43
PID 2516 wrote to memory of 2820	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	43
PID 2516 wrote to memory of 2820	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	43
PID 2516 wrote to memory of 2820	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	43
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2516 wrote to memory of 2748	2516	e942e1be0d7e30d8ebe70ca96a0b7690N.exe	45
PID 2732 wrote to memory of 2912	2732	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e942e1be0d6e30d7ebe60ca85a0b6590N.exe
"C:\Users\Admin\AppData\Local\Temp\e942e1be0d6e30d7ebe60ca85a0b6590N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Users\Admin\AppData\Roaming\WNetval\e942e1be0d7e30d8ebe70ca96a0b7690N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\e942e1be0d7e30d8ebe70ca96a0b7690N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2748

C:\Windows\system32\taskeng.exe
taskeng.exe {EC20C049-3416-40D4-AD5B-EAAA2F0F22AE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1624
- C:\Users\Admin\AppData\Roaming\WNetval\e942e1be0d7e30d8ebe70ca96a0b7690N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\e942e1be0d7e30d8ebe70ca96a0b7690N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3

Filesize
1KB

MD5
3e12b9b6a1e966d70009ae6d5e6e40f0

SHA1
1a577bba16574ee87f4c75fc21d6f27cce8589c2

SHA256
c1ab9d97785738254a97711a11405aee6d3b55e1a872b330837dffdaeaf48ba4

SHA512
11bd59769d8a8ff470c57e951a3c7c028084f0d2865f5255ac9bb580fe1a89e208db44a0f3759d63fca6e9d2d139417be5b489106c4840cf3e61eeaad6826272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ea364b6715272c3b3f369d2ba0722c1c

SHA1
c6b82a5dffcbef106c59c86af331ad6600363272

SHA256
55ec01f2e41367ba8ef8415cc38db7073d0590f0b49ccdacb3b1a3e2bf91a4ce

SHA512
44e78bdcf08924ba9c5f2892e288dc68fdb7d1921f76c1e9215ef8a2b8b83fb1341df78040693c4cf6d77ff1f7449d685abe10043e55385c333ece0102f0796a

Download Submit
\Users\Admin\AppData\Roaming\WNetval\e942e1be0d7e30d8ebe70ca96a0b7690N.exe

Filesize
368KB

MD5
e942e1be0d6e30d7ebe60ca85a0b6590

SHA1
d072e0416a376226230e550acded01200a03d935

SHA256
281c93612260e9df8b08adc72d0a4581e282ec70318efe3426ea952f06c8d694

SHA512
9024ddc6e4eb3ff3d56fe99a27108c0b139bc3a190094726127290e236367bea76040386799030f67d713a65557fed81118c9be0a80de9f003604d03314e66b8

Download Submit
memory/2356-1-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/2356-7-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/2516-10-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2516-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2516-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2516-20-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/2748-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2748-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download