Managed XDR

myfile.exe (TrickBot) — malware analysis report

File info

Filename: myfile.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 564.8 KB
First seen: 2024-03-14 13:12
Last seen: 2025-10-28 14:08

Environment

w10/x86 en

Hashes

SHA1: 29eb8fb34f9fb8faabe0b676877c4d4485154a1e
SHA256: 327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea
MD5: 89a3e160348482bb1701a9ca51db4679

Malwares

TrickBot

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.001 suspicious_process: Spawns a suspicious process

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1057 process_interest: Enumerates processes

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antivm_queries_computername: Retrieves the computer name

Impact

T1489 net_stop: Stops services through the use of net stop

Other

yara_rules: Static rules

vir_napolar: Napolar indicators detected

copies_self: Creates a copy of itself

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

Related reports

Managed XDR