Managed XDR

runtime (TrickBot) — malware analysis report

File info

Filename
runtime
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
560.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
da989770e45783768a2fedc8594258a06f5940c5
SHA256
ad306b7bd6075501ccad5d4bb7ade2c70fd185353827f69ed6b6c34527e271eb
MD5
a6be733e8ccba6710806308d0bb65e31

Malwares

  • TrickBot

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1574.011 persistence_services: Modifies Services registry key
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1082 recon_url_beacon: Sends information about the computer over the network using URL
T1033 recon_url_beacon: Sends information about the computer over the network using URL
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

Command and Control

T1071.001 recon_url_beacon: Sends information about the computer over the network using URL
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Impact

T1489 stops_service: Stops Windows services
T1489 net_stop: Stops services through the use of net stop

Other

yara_rules: Static rules
ce_info: Trickbot Configuration Data found
trickbot: TrickBot banking Trojan indicators detected
trickbot_https_request: Performs https queries specific to TrickBot
copies_self: Creates a copy of itself
ip_domains: Identifies an IP address using external resources
creates_exe: Creates executable files in the file system
dead_host: Connects to IP addresses that do not respond to requests
executes_dropped_exe: Executes dropped exe files
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
origin_langid: Unconventional language of the executable file
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
suricata_alert: Malicious traffic detected

Related reports