# Process Hollowing(Trickbot) - Sample/Environment - Analysis contents - File copy - VirtualAlloc and Data transition - Createting Process and Heaven's Gate (Process Hollowing) ## Sample/Environment - Sample |sha256|[3A6C3F7B99B2E76914FBC338C622B92F9825CB77729B8BF050BA64ECE1679818](https://www.virustotal.com/gui/file/3a6c3f7b99b2e76914fbc338c622b92f9825cb77729b8bf050ba64ece1679818/detection)| |:-|:-| |filetype|PE(exe,32bit)| |sandbox|[ANYRUN](https://app.any.run/tasks/9f302b49-4585-4905-b466-9459ff88c558/)
[HYBRID ANALYSIS](https://www.hybrid-analysis.com/sample/3a6c3f7b99b2e76914fbc338c622b92f9825cb77729b8bf050ba64ece1679818?environmentId=100)
[Triage](https://tria.ge/reports/191018-jnffne1l7x/task2)
| - Environment |vm|VirtualBox5.2, Guest Addtions Installed| |:-|:-| |os|Windows10 Home 64bit, FLARE VM Installed| |debugger|x32/x64dbg, WinDbg| ## Analysis contents ### File copy ![](https://github.com/mether049/malware/blob/master/Trickbot/img/shellexecute_2_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/filecopy_1_940.png) ![]() բնութագրվում է.exe ### VirtualAlloc and Data transition ![](https://github.com/mether049/malware/blob/master/Trickbot/img/virtualalloc_3_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/datasection_4_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/datacopy_5_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/datacopy2_6_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/decode_7_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/decode2_8_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/copytext_9_940.png) ### Createting Process and Heaven's Gate (Process Hollowing) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/svchost_10_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/heavensgate_11_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/ntdll_12_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/crccalc_13_940.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/crccmp_14_940.png) ![]() ![]()