Skip to main content



Incident response case study featuring Ryuk and Trickbot (part 2)

This is part 2 of our recent incident response study encountering a Trickbot infection.

Initial compromise Right after tricking a user into running the malicious Office macro on their machine, thus gaining code execution, the first stage Trickbot executable is downloaded and executed. The first stage payload is responsible for three things: First, Trickbot tries to disable Windows Defender by running these commands:    cmd.exe /c sc stop WinDefend
    cmd.exe /c sc delete WinDefend
    cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
The next step is to unpack itself to all users' AppData/Roaming directory under a less-than-suspicious folder name (such as WinDefrag, WinSocket, GPUDriver, msnet, etc.).Last, but not least, it creates persistence. As we have already mentioned in the first part of this series, Trickbot does not need advanced persistence mechanisms; creating Scheduled task, installing a Service or even a simple Run registry persistence is sufficien…

Latest posts

Startup Safari - Incident Communication

Incident response case study featuring Ryuk and Trickbot (part 1)

Képzésünk 2019 februárjában indul az Óbudai Egyetemen

Our course at Óbuda University launches February 2019


National Cyber Challenge