trickbot | d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f

General

Target

d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe
Size

368KB
MD5

d22e7bebd1ca8e66ad9f64ee6cf41f3c
SHA1

efcd698516621de01c9d64e9126cc841e22df9bc
SHA256

d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f
SHA512

050cb0bed63abd741132e5edfa4be7e39cac00f7d633b1aae6a02cf19251d1a4e9c8e3ff3b7e09f8480457aad84bef66f444e61e738537fb47f5ce155e4fbc85
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qn:emSuOcHmnYhrDMTrban4qn

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1372-1-0x0000000001450000-0x0000000001479000-memory.dmp	trickbot_loader32
behavioral1/memory/1372-6-0x0000000001450000-0x0000000001479000-memory.dmp	trickbot_loader32
behavioral1/memory/3100-9-0x00000000010B0000-0x00000000010D9000-memory.dmp	trickbot_loader32
behavioral1/memory/3100-24-0x00000000010B0000-0x00000000010D9000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3704	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3100	1372	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	78
PID 1372 wrote to memory of 3100	1372	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	78
PID 1372 wrote to memory of 3100	1372	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	78
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79
PID 3100 wrote to memory of 2948	3100	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe
"C:\Users\Admin\AppData\Local\Temp\d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe
  C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2410826464-2353372766-2364966905-1000\0f5007522459c86e95ffcc62f32308f1_98bf7e79-8c75-4ee3-90d5-4fb9386da93e

Filesize
1KB

MD5
9adb1d250f34b187399ebeb6717dd9d7

SHA1
bb42bd3511aa898ab46674f1f6f270b5e5469571

SHA256
bee6efd1b1650dca2cf7d89f94b526dc0a44c84c5a681b16d21893211eb3d58b

SHA512
1f562c0d413e1341ce33af969b668130273753999472f8a12b598c9dfc384eda54569a7b3cd82c1140106175b18198602e57d422e128e9fbfbfdd694351a7a42

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe

Filesize
368KB

MD5
d22e7bebd1ca8e66ad9f64ee6cf41f3c

SHA1
efcd698516621de01c9d64e9126cc841e22df9bc

SHA256
d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f

SHA512
050cb0bed63abd741132e5edfa4be7e39cac00f7d633b1aae6a02cf19251d1a4e9c8e3ff3b7e09f8480457aad84bef66f444e61e738537fb47f5ce155e4fbc85

Download Submit
memory/1372-1-0x0000000001450000-0x0000000001479000-memory.dmp

Filesize
164KB

Download
memory/1372-6-0x0000000001450000-0x0000000001479000-memory.dmp

Filesize
164KB

Download
memory/2948-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2948-21-0x000001AF91280000-0x000001AF91281000-memory.dmp

Filesize
4KB

Download
memory/2948-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3100-15-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/3100-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3100-22-0x0000000002C80000-0x0000000002D3D000-memory.dmp

Filesize
756KB

Download
memory/3100-23-0x0000000002D40000-0x00000000030B4000-memory.dmp

Filesize
3.5MB

Download
memory/3100-24-0x00000000010B0000-0x00000000010D9000-memory.dmp

Filesize
164KB

Download
memory/3100-9-0x00000000010B0000-0x00000000010D9000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing