Managed XDR

myfile.exe (TrickBot) — malware analysis report

File info

Filename
myfile.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
427.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
96e977bc93cb7ea515cf77be800b45f1c2578fb4
SHA256
635e7ea673d723ea2d94dfba5fe0bbb0e1207288e3f341e93433b12aaa812e7c
MD5
6d4668fe2f4041fe87ce953ef9d55e48

Malwares

  • TrickBot

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

Impact

T1489 stops_service: Stops Windows services
T1489 net_stop: Stops services through the use of net stop

Other

yara_rules: Static rules
copies_self: Creates a copy of itself
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory

Related reports