Managed XDR

t3buftftek4mk1d.exe (TrickBot) — malware analysis report

File info

Filename
t3buftftek4mk1d.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
384.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
b84bdb8f039b0ad9ae07e1632f72a6a5e86f37a1
SHA256
26f3b30761bb19d0774b862524621b5d74559b4185612ba899a11bcb5765e5da
MD5
8bedebb23e427c1dd5e7cabbb17832e6

Malwares

  • TrickBot

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1049 list_ts_rdp_sessions: Lists ts/rdp sessions
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)

Impact

T1489 stops_service: Stops Windows services
T1489 net_stop: Stops services through the use of net stop

Other

yara_rules: Static rules
copies_self: Creates a copy of itself
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory

Related reports