trickbot | d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f

General

Target

d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe
Size

368KB
MD5

d22e7bebd1ca8e66ad9f64ee6cf41f3c
SHA1

efcd698516621de01c9d64e9126cc841e22df9bc
SHA256

d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f
SHA512

050cb0bed63abd741132e5edfa4be7e39cac00f7d633b1aae6a02cf19251d1a4e9c8e3ff3b7e09f8480457aad84bef66f444e61e738537fb47f5ce155e4fbc85
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qn:emSuOcHmnYhrDMTrban4qn

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1472-1-0x0000000000E20000-0x0000000000E49000-memory.dmp	trickbot_loader32
behavioral1/memory/2428-8-0x00000000008B0000-0x00000000008D9000-memory.dmp	trickbot_loader32
behavioral1/memory/1472-9-0x0000000000E20000-0x0000000000E49000-memory.dmp	trickbot_loader32
behavioral1/memory/2428-24-0x00000000008B0000-0x00000000008D9000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3112	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2428	1472	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	77
PID 1472 wrote to memory of 2428	1472	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	77
PID 1472 wrote to memory of 2428	1472	d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe	77
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78
PID 2428 wrote to memory of 3724	2428	d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe
"C:\Users\Admin\AppData\Local\Temp\d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe
  C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3724

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b7443e89f0cb29d51ee6a257750e54d2

SHA1
84127eebf275e781d5276af6fc4d09c5a6bfb7b9

SHA256
8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26

SHA512
446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2dfa537d7e7d11c7781652cf2ed49a6f

SHA1
f6b77ccf66633ed19c707364e90b7b9be2e517c3

SHA256
09efc6acacca137ee3d416e4f8f25820fde2508012a5d1be643044f05e1d294b

SHA512
ddeb30d036d0e096393b90b9db04901525a68c08e0de7faebb921461f4b60c56f34fe5e1677f5328f64456a0e1de8b84b2c180ddea97daa29992140099d8672d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4018527317-446799424-2810249686-1000\0f5007522459c86e95ffcc62f32308f1_efdc4609-d947-4be0-b0f4-e56701f439f5

Filesize
1KB

MD5
1ee96ce39badcf7884af6056fcb755cd

SHA1
53f64a43c6677d67193cd36b52aa349af5199628

SHA256
c8b05e7b292a1860290ecbdb1f5c951b542b24dfd1fc94ce83d193c40455ecbc

SHA512
ca15011f9a56d8a70152df1bb4cce40e1b0276cb6a32186a2153ccdb3483a49653220a7c0e12905f3c3c879bfa4c6bcbca8ea654f1875427d723dc129c7c5ad7

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\d3d737cf340490168909cbef06609be66392966a71931160e9c849847902e18f.exe

Filesize
368KB

MD5
d22e7bebd1ca8e66ad9f64ee6cf41f3c

SHA1
efcd698516621de01c9d64e9126cc841e22df9bc

SHA256
d3d636cf340490157808cbef05509be55382855a61831150e8c749746902e17f

SHA512
050cb0bed63abd741132e5edfa4be7e39cac00f7d633b1aae6a02cf19251d1a4e9c8e3ff3b7e09f8480457aad84bef66f444e61e738537fb47f5ce155e4fbc85

Download Submit
memory/1472-1-0x0000000000E20000-0x0000000000E49000-memory.dmp

Filesize
164KB

Download
memory/1472-9-0x0000000000E20000-0x0000000000E49000-memory.dmp

Filesize
164KB

Download
memory/2428-15-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2428-22-0x0000000002850000-0x000000000290D000-memory.dmp

Filesize
756KB

Download
memory/2428-24-0x00000000008B0000-0x00000000008D9000-memory.dmp

Filesize
164KB

Download
memory/2428-23-0x0000000002910000-0x0000000002C84000-memory.dmp

Filesize
3.5MB

Download
memory/2428-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2428-8-0x00000000008B0000-0x00000000008D9000-memory.dmp

Filesize
164KB

Download
memory/3724-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3724-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3724-21-0x00000170F75D0000-0x00000170F75D1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing