trickbot | 810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5

General

Target

Document_Covid-19_7.xls
Size

85KB
MD5

58b62b641066a1ea49e34a2f711a1854
SHA1

4bf1830ed130fe97e50807b1a4ba4749c8fefe75
SHA256

810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
SHA512

82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2

Score

10^/10

spyware trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil58

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3164	3684	rundll32.exe	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 3740 wermgr.exe
Token: SeDebugPrivilege 3740 wermgr.exe
Token: SeDebugPrivilege 3740 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	3740	wermgr.exe
Token: SeDebugPrivilege	3740	wermgr.exe
Token: SeDebugPrivilege	3740	wermgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 3684 wrote to memory of 3164	3684	EXCEL.EXE	rundll32.exe
PID 3684 wrote to memory of 3164	3684	EXCEL.EXE	rundll32.exe
PID 3164 wrote to memory of 3132	3164	rundll32.exe	rundll32.exe
PID 3164 wrote to memory of 3132	3164	rundll32.exe	rundll32.exe
PID 3164 wrote to memory of 3132	3164	rundll32.exe	rundll32.exe
PID 3132 wrote to memory of 3740	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 3740	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 3740	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 3740	3132	rundll32.exe	wermgr.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3132 rundll32.exe

pid	process
3132	rundll32.exe

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral2/memory/3132-4-0x00000000051B0000-0x00000000051DE000-memory.dmp	templ_dll
behavioral2/memory/3132-5-0x00000000051E0000-0x000000000520D000-memory.dmp	templ_dll

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3684 EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_Covid-19_7.xls"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3684

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll,DllRegisterServer
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:3132

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll

Download Submit
\eNNzmNj\wLrKvzZ\UQEZPGU.dll

Download Submit
memory/3132-2-0x0000000000000000-mapping.dmp

Download
memory/3132-4-0x00000000051B0000-0x00000000051DE000-memory.dmp

Filesize
184KB

Download
memory/3132-5-0x00000000051E0000-0x000000000520D000-memory.dmp

Filesize
180KB

Download
memory/3164-0-0x0000000000000000-mapping.dmp

Download
memory/3740-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads