trickbot | 2103e44868d587fe3247a09802318e062750471c94793cc56f537e60caf37b01

General

Target

3800481c130c2671c5e4742cf6e99b00N.exe
Size

368KB
MD5

3800481c130c2671c5e4742cf6e99b00
SHA1

e583eacb665803c63bf96c6924790f9bbed02449
SHA256

2103e44868d587fe3247a09802318e062750471c94793cc56f537e60caf37b01
SHA512

defb5666245d54f5557611b7c56d844191630f02571058c0e7ac35dbb62a47e4e5dcef9d171dbf9cf7c942279188351e3f15d32c6af90a558f71917a8e9657ff
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qp:emSuOcHmnYhrDMTrban4qp

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2964-1-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/2964-7-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/3044-10-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/3044-21-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

3900491c130c2781c6e4842cf7e99b00N.exe3900491c130c2781c6e4842cf7e99b00N.exe

pid process

3044 3900491c130c2781c6e4842cf7e99b00N.exe
852 3900491c130c2781c6e4842cf7e99b00N.exe
Loads dropped DLL 1 IoCs

Processes:

3800481c130c2671c5e4742cf6e99b00N.exe

pid process

2964 3800481c130c2671c5e4742cf6e99b00N.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2612 powershell.exe
2464 powershell.exe

pid	process
3044	3900491c130c2781c6e4842cf7e99b00N.exe
852	3900491c130c2781c6e4842cf7e99b00N.exe

pid	process
2612	powershell.exe
2464	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2640 sc.exe
2904 sc.exe
2472 sc.exe
2984 sc.exe

pid	process
2640	sc.exe
2904	sc.exe
2472	sc.exe
2984	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3800481c130c2671c5e4742cf6e99b00N.exesc.exesc.exepowershell.execmd.exesc.exe3900491c130c2781c6e4842cf7e99b00N.execmd.exe3900491c130c2781c6e4842cf7e99b00N.execmd.exesc.execmd.execmd.execmd.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3800481c130c2671c5e4742cf6e99b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3900491c130c2781c6e4842cf7e99b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3900491c130c2781c6e4842cf7e99b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3800481c130c2671c5e4742cf6e99b00N.exe3900491c130c2781c6e4842cf7e99b00N.exepowershell.exepowershell.exe

pid	process
2964	3800481c130c2671c5e4742cf6e99b00N.exe
2964	3800481c130c2671c5e4742cf6e99b00N.exe
2964	3800481c130c2671c5e4742cf6e99b00N.exe
3044	3900491c130c2781c6e4842cf7e99b00N.exe
3044	3900491c130c2781c6e4842cf7e99b00N.exe
3044	3900491c130c2781c6e4842cf7e99b00N.exe
2612	powershell.exe
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe3900491c130c2781c6e4842cf7e99b00N.exe

description	pid	process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeTcbPrivilege	852	3900491c130c2781c6e4842cf7e99b00N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3800481c130c2671c5e4742cf6e99b00N.execmd.exe3900491c130c2781c6e4842cf7e99b00N.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2964 wrote to memory of 2648	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2648	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2648	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2648	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2756	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2756	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2756	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 2756	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 1084	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 1084	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 1084	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 1084	2964	3800481c130c2671c5e4742cf6e99b00N.exe	cmd.exe
PID 2964 wrote to memory of 3044	2964	3800481c130c2671c5e4742cf6e99b00N.exe	3900491c130c2781c6e4842cf7e99b00N.exe
PID 2964 wrote to memory of 3044	2964	3800481c130c2671c5e4742cf6e99b00N.exe	3900491c130c2781c6e4842cf7e99b00N.exe
PID 2964 wrote to memory of 3044	2964	3800481c130c2671c5e4742cf6e99b00N.exe	3900491c130c2781c6e4842cf7e99b00N.exe
PID 2964 wrote to memory of 3044	2964	3800481c130c2671c5e4742cf6e99b00N.exe	3900491c130c2781c6e4842cf7e99b00N.exe
PID 1084 wrote to memory of 2612	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 2612	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 2612	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 2612	1084	cmd.exe	powershell.exe
PID 3044 wrote to memory of 2580	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2580	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2580	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2580	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 2756 wrote to memory of 2904	2756	cmd.exe	sc.exe
PID 2756 wrote to memory of 2904	2756	cmd.exe	sc.exe
PID 2756 wrote to memory of 2904	2756	cmd.exe	sc.exe
PID 3044 wrote to memory of 2724	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 2756 wrote to memory of 2904	2756	cmd.exe	sc.exe
PID 3044 wrote to memory of 2724	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2724	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2724	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2592	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2592	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2592	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 3044 wrote to memory of 2592	3044	3900491c130c2781c6e4842cf7e99b00N.exe	cmd.exe
PID 2648 wrote to memory of 2640	2648	cmd.exe	sc.exe
PID 2648 wrote to memory of 2640	2648	cmd.exe	sc.exe
PID 2648 wrote to memory of 2640	2648	cmd.exe	sc.exe
PID 2648 wrote to memory of 2640	2648	cmd.exe	sc.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 3044 wrote to memory of 2748	3044	3900491c130c2781c6e4842cf7e99b00N.exe	svchost.exe
PID 2592 wrote to memory of 2464	2592	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3800481c130c2671c5e4742cf6e99b00N.exe
"C:\Users\Admin\AppData\Local\Temp\3800481c130c2671c5e4742cf6e99b00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2640

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2904

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
3⤵
- System Location Discovery: System Language Discovery
PID:2580

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2984

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
3⤵
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2472

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2748

C:\Windows\system32\taskeng.exe
taskeng.exe {88790EA7-A38B-4546-BB69-DD6632CB1C6C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2448

C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172136094-3310281978-782691160-1000\0f5007522459c86e95ffcc62f32308f1_ad67a936-7f42-4f72-a93a-f5bcf669d37e

Filesize
1KB

MD5
121597a0a19c7667d56e670c0bee0918

SHA1
abdf90de4ad3c492da9e8163b03dc840bec3948c

SHA256
0409c6f050ed801bc548088ae9bd2ad71cc6cfd520233f14c63c4c27c95233d0

SHA512
900bc16b8b5001d471dec17c6ec19c8e8486e6c0de8f577123f44a6c517e4c315f3bd6c3240b1c84f53d45d6630c7d901f35f92d77e18185a97abff386793504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
efde455a8cdfb46333ace00fce0eda16

SHA1
a1490207750ee8d9fdc862f611007c3f0d6f8323

SHA256
6b488aace9911d37f900a8d0d3e5db7275c33a2a8ea3ce4274b86670493bea3a

SHA512
9cc4581045079779d79fbaafa1046af0417813bcf24e8c7db051ead6eac131f6520a01f556aefb7f6486db3c086953a2a0d43296b78e66d7911eefad7c331d51

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\3900491c130c2781c6e4842cf7e99b00N.exe

Filesize
368KB

MD5
3800481c130c2671c5e4742cf6e99b00

SHA1
e583eacb665803c63bf96c6924790f9bbed02449

SHA256
2103e44868d587fe3247a09802318e062750471c94793cc56f537e60caf37b01

SHA512
defb5666245d54f5557611b7c56d844191630f02571058c0e7ac35dbb62a47e4e5dcef9d171dbf9cf7c942279188351e3f15d32c6af90a558f71917a8e9657ff

Download Submit
memory/2748-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2748-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2748-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2964-1-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2964-7-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/3044-10-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/3044-21-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/3044-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3044-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads