trickbot | 6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe
Size

368KB
MD5

6452209126ede158ba01e86225835350
SHA1

16441c96e85e9d96353209ceb4b2a3970e067bcb
SHA256

6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13
SHA512

f73b9a9514388c619fb6873f8c1695b7accc00bf0151c96b6507f704fdd7f816bbf3fccd1f53e24ff005d553e6de4e5e8a010cfd180aa6148f5fd117f6499827
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qP:emSuOcHmnYhrDMTrban4qP

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4180-1-0x0000000000DD0000-0x0000000000DF9000-memory.dmp	trickbot_loader32
behavioral2/memory/4180-5-0x0000000000DD0000-0x0000000000DF9000-memory.dmp	trickbot_loader32
behavioral2/memory/4416-9-0x0000000000DC0000-0x0000000000DE9000-memory.dmp	trickbot_loader32
behavioral2/memory/4416-24-0x0000000000DC0000-0x0000000000DE9000-memory.dmp	trickbot_loader32
behavioral2/memory/4364-28-0x0000000000700000-0x0000000000729000-memory.dmp	trickbot_loader32
behavioral2/memory/4364-42-0x0000000000700000-0x0000000000729000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

pid	Process
4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

description	pid	Process
Token: SeTcbPrivilege	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

description	pid	Process	procid_target
PID 4180 wrote to memory of 4416	4180	6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe	82
PID 4180 wrote to memory of 4416	4180	6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe	82
PID 4180 wrote to memory of 4416	4180	6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe	82
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4416 wrote to memory of 2636	4416	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	83
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94
PID 4364 wrote to memory of 4280	4364	7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe
"C:\Users\Admin\AppData\Local\Temp\6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Roaming\WNetval\7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2636

C:\Users\Admin\AppData\Roaming\WNetval\7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
C:\Users\Admin\AppData\Roaming\WNetval\7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7

Filesize
1KB

MD5
476e0eaf1348e56ec81ec6cdd45d83c1

SHA1
151dee01518ba019243a0664cdfdee4b4a20d4e2

SHA256
58693a2fc3f29fad8596264c1d9b18b9736a59cff483023b573e1a1f2aa4f040

SHA512
493fb54f29fe2f62a7247e46e22a59097e79caa685f4b7a434812106156f990f13dadd7f6f7db063f4463b1f450eb25faea0ea5945962e58f965f0e8b2821fd8

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7db102eed1f6db1be39c03badad088403233999ac8fa8b9fa818d6c79919da13N.exe

Filesize
368KB

MD5
6452209126ede158ba01e86225835350

SHA1
16441c96e85e9d96353209ceb4b2a3970e067bcb

SHA256
6db102eed1f5db1be38c03badad077403233889ac7fa7b8fa717d5c69818da13

SHA512
f73b9a9514388c619fb6873f8c1695b7accc00bf0151c96b6507f704fdd7f816bbf3fccd1f53e24ff005d553e6de4e5e8a010cfd180aa6148f5fd117f6499827

Download Submit
memory/2636-21-0x000001813E840000-0x000001813E841000-memory.dmp

Filesize
4KB

Download
memory/2636-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4180-5-0x0000000000DD0000-0x0000000000DF9000-memory.dmp

Filesize
164KB

Download
memory/4180-1-0x0000000000DD0000-0x0000000000DF9000-memory.dmp

Filesize
164KB

Download
memory/4280-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4364-28-0x0000000000700000-0x0000000000729000-memory.dmp

Filesize
164KB

Download
memory/4364-42-0x0000000000700000-0x0000000000729000-memory.dmp

Filesize
164KB

Download
memory/4364-41-0x00000000012B0000-0x0000000001579000-memory.dmp

Filesize
2.8MB

Download
memory/4364-40-0x00000000011F0000-0x00000000012AE000-memory.dmp

Filesize
760KB

Download
memory/4364-34-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4416-9-0x0000000000DC0000-0x0000000000DE9000-memory.dmp

Filesize
164KB

Download
memory/4416-23-0x0000000003290000-0x0000000003559000-memory.dmp

Filesize
2.8MB

Download
memory/4416-24-0x0000000000DC0000-0x0000000000DE9000-memory.dmp

Filesize
164KB

Download
memory/4416-22-0x00000000031D0000-0x000000000328E000-memory.dmp

Filesize
760KB

Download
memory/4416-15-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4416-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4416-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download