trickbot | 89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
Size

368KB
MD5

42cf0113caf4a1f23b6eb382cb885510
SHA1

cce07b6527d101d27eeb1b4c878197185a2ed08f
SHA256

89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88
SHA512

d7f1f792240c50009851970d07aae23004c9b57d55a65a1e649ce44af789f593644358fbbfe351b3bfb013b83d4749057be62c65cf4a438d5eb723efbe58633a
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q2:emSuOcHmnYhrDMTrban4q2

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1076-1-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/1076-7-0x0000000000080000-0x00000000000A9000-memory.dmp	trickbot_loader32
behavioral1/memory/1424-10-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32
behavioral1/memory/1424-20-0x00000000000F0000-0x0000000000119000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
1232	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe

Loads dropped DLL 1 IoCs

pid	Process
1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
2984	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2192	sc.exe
2644	sc.exe
2632	sc.exe
2448	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
2984	powershell.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeTcbPrivilege	1232	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1532	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	30
PID 1076 wrote to memory of 1532	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	30
PID 1076 wrote to memory of 1532	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	30
PID 1076 wrote to memory of 1532	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	30
PID 1076 wrote to memory of 1432	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	31
PID 1076 wrote to memory of 1432	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	31
PID 1076 wrote to memory of 1432	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	31
PID 1076 wrote to memory of 1432	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	31
PID 1076 wrote to memory of 2004	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	33
PID 1076 wrote to memory of 2004	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	33
PID 1076 wrote to memory of 2004	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	33
PID 1076 wrote to memory of 2004	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	33
PID 1076 wrote to memory of 1424	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	36
PID 1076 wrote to memory of 1424	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	36
PID 1076 wrote to memory of 1424	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	36
PID 1076 wrote to memory of 1424	1076	89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe	36
PID 1432 wrote to memory of 2448	1432	cmd.exe	37
PID 1432 wrote to memory of 2448	1432	cmd.exe	37
PID 1432 wrote to memory of 2448	1432	cmd.exe	37
PID 1432 wrote to memory of 2448	1432	cmd.exe	37
PID 1532 wrote to memory of 2192	1532	cmd.exe	38
PID 1532 wrote to memory of 2192	1532	cmd.exe	38
PID 1532 wrote to memory of 2192	1532	cmd.exe	38
PID 1532 wrote to memory of 2192	1532	cmd.exe	38
PID 1424 wrote to memory of 2472	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	39
PID 1424 wrote to memory of 2472	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	39
PID 1424 wrote to memory of 2472	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	39
PID 1424 wrote to memory of 2472	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	39
PID 1424 wrote to memory of 2804	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	40
PID 1424 wrote to memory of 2804	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	40
PID 1424 wrote to memory of 2804	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	40
PID 1424 wrote to memory of 2804	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	40
PID 2004 wrote to memory of 2808	2004	cmd.exe	41
PID 2004 wrote to memory of 2808	2004	cmd.exe	41
PID 2004 wrote to memory of 2808	2004	cmd.exe	41
PID 2004 wrote to memory of 2808	2004	cmd.exe	41
PID 1424 wrote to memory of 2888	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	43
PID 1424 wrote to memory of 2888	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	43
PID 1424 wrote to memory of 2888	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	43
PID 1424 wrote to memory of 2888	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	43
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 1424 wrote to memory of 2748	1424	99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe	46
PID 2804 wrote to memory of 2644	2804	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe
"C:\Users\Admin\AppData\Local\Temp\89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Users\Admin\AppData\Roaming\WNetval\99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2748

C:\Windows\system32\taskeng.exe
taskeng.exe {F334E06A-3117-433A-A7BD-A83FD0F68C55} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1864
- C:\Users\Admin\AppData\Roaming\WNetval\99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\0f5007522459c86e95ffcc62f32308f1_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269

Filesize
1KB

MD5
3019887f587997548e26696059bbc637

SHA1
2412ced3c7fe3c02c60e794da1c16cc1c28493d7

SHA256
7f5ecd4c4307b5b9d3c50bdd851f566491057cb641a7f1fa7bd4e02a487fea0b

SHA512
fa2040b28188701bb748710f24d557f3b4de1a22c9b94b9793f6c1e920b9421facf9f0ca2088169a3d1815a720e075cbd7d8439d0122542ee8e183dd92a4a293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9d88df391ee3f9060ae543247d6d0810

SHA1
461c854b51c8cb68e1cb42a38c2e1d9c1591e710

SHA256
ff367ef2b4c53c6ba164be3f4711b2914f7789733a5bdc569b8ca840979e3af1

SHA512
171f371c0d884649928a335e4cdbbec0f5cfa5f4383f7a60601e27af854d1bb1af91c76908157b9e3f1041dfb03f35dcb8047c54127874f7c0a750e752526522

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\99b894bc60363c214039d9196fbf2e363ed8a60b7a9e103777f8161f138fde99N.exe

Filesize
368KB

MD5
42cf0113caf4a1f23b6eb382cb885510

SHA1
cce07b6527d101d27eeb1b4c878197185a2ed08f

SHA256
89b794bc50353c214039d8195fbf2e353ed7a50b6a8e103666f7151f137fde88

SHA512
d7f1f792240c50009851970d07aae23004c9b57d55a65a1e649ce44af789f593644358fbbfe351b3bfb013b83d4749057be62c65cf4a438d5eb723efbe58633a

Download Submit
memory/1076-1-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1076-7-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1424-10-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/1424-20-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download
memory/1424-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2748-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2748-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download