trickbot | 7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09f

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe
Size

368KB
MD5

c16b1cb543bd5f5dcf42d38a79011d00
SHA1

240f544d40c3d25427bbb2f7d39115dd8a81c567
SHA256

7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09f
SHA512

f8b0a18e0b9644dbe619745327c72ada40c8a58758ae8a1243921df742874ef138d1b4adbb6b620dffa73cb476907e54c0992c23b31f35788bee9ba394705731
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qh:emSuOcHmnYhrDMTrban4qh

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3316-1-0x0000000001520000-0x0000000001549000-memory.dmp	trickbot_loader32
behavioral2/memory/3316-8-0x0000000001520000-0x0000000001549000-memory.dmp	trickbot_loader32
behavioral2/memory/2028-9-0x0000000000CD0000-0x0000000000CF9000-memory.dmp	trickbot_loader32
behavioral2/memory/2028-24-0x0000000000CD0000-0x0000000000CF9000-memory.dmp	trickbot_loader32
behavioral2/memory/388-28-0x0000000000D00000-0x0000000000D29000-memory.dmp	trickbot_loader32
behavioral2/memory/388-42-0x0000000000D00000-0x0000000000D29000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

pid	Process
2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

description	pid	Process
Token: SeTcbPrivilege	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

description	pid	Process	procid_target
PID 3316 wrote to memory of 2028	3316	7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe	84
PID 3316 wrote to memory of 2028	3316	7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe	84
PID 3316 wrote to memory of 2028	3316	7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe	84
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 2028 wrote to memory of 220	2028	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	85
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96
PID 388 wrote to memory of 4328	388	8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe
"C:\Users\Admin\AppData\Local\Temp\7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09fN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Roaming\WNetval\8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
  C:\Users\Admin\AppData\Roaming\WNetval\8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:220

C:\Users\Admin\AppData\Roaming\WNetval\8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
C:\Users\Admin\AppData\Roaming\WNetval\8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2412658365-3084825385-3340777666-1000\0f5007522459c86e95ffcc62f32308f1_dd06e985-ac7f-4567-b0c7-3752f03c29fc

Filesize
1KB

MD5
2acb0c57af7470a8f14003415c2d4b2c

SHA1
867e500d5feeb0a5a29267bcda48dbfeffb14a78

SHA256
1ca7416c914eeaf2f5d6fa386c6fe1160e4e1454b8e185e26d08395718b5a312

SHA512
5fa4d54fc289eb1b06ebf76fd42c496a2002824363955bcee6607d464d99291be07d9bfa1ab74b54e350b3185f729271af887806ab19d2cdd1b07698182b3961

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\8a3faa8eb2b96064601698380ef432eb2be7723c6693d66619ffa9daea1ab09fN.exe

Filesize
368KB

MD5
c16b1cb543bd5f5dcf42d38a79011d00

SHA1
240f544d40c3d25427bbb2f7d39115dd8a81c567

SHA256
7a3faa7eb2b95054501597370ef432eb2be6623c5593d55519ffa9daea1ab09f

SHA512
f8b0a18e0b9644dbe619745327c72ada40c8a58758ae8a1243921df742874ef138d1b4adbb6b620dffa73cb476907e54c0992c23b31f35788bee9ba394705731

Download Submit
memory/220-21-0x000001A067DA0000-0x000001A067DA1000-memory.dmp

Filesize
4KB

Download
memory/220-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/220-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/388-34-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/388-28-0x0000000000D00000-0x0000000000D29000-memory.dmp

Filesize
164KB

Download
memory/388-41-0x0000000001AB0000-0x0000000001D79000-memory.dmp

Filesize
2.8MB

Download
memory/388-42-0x0000000000D00000-0x0000000000D29000-memory.dmp

Filesize
164KB

Download
memory/388-40-0x00000000019F0000-0x0000000001AAE000-memory.dmp

Filesize
760KB

Download
memory/2028-24-0x0000000000CD0000-0x0000000000CF9000-memory.dmp

Filesize
164KB

Download
memory/2028-22-0x0000000002C90000-0x0000000002D4E000-memory.dmp

Filesize
760KB

Download
memory/2028-9-0x0000000000CD0000-0x0000000000CF9000-memory.dmp

Filesize
164KB

Download
memory/2028-23-0x0000000002D50000-0x0000000003019000-memory.dmp

Filesize
2.8MB

Download
memory/2028-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2028-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2028-20-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3316-1-0x0000000001520000-0x0000000001549000-memory.dmp

Filesize
164KB

Download
memory/3316-8-0x0000000001520000-0x0000000001549000-memory.dmp

Filesize
164KB

Download
memory/4328-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download