trickbot | 49a193afe2b75716f99338d1653dd321db5b0b4af3be050691605a861471be2e

General

Target

Notification082520.doc
Size

285KB
MD5

f9cac6a43d460d5afc7428a1014a59af
SHA1

e7ae3fe9226a646711c7b31593e05368b4395d2a
SHA256

49a193afe2b75716f99338d1653dd321db5b0b4af3be050691605a861471be2e
SHA512

c12f18c7e4fee24fdcaf145178967295c5d11d6565590cc3f3db8fbf7d30432185651151156873142e52137ac50787d8d6f9d992ec4a149cbdf3a5926b59746d

Score

10^/10

trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000513

Botnet

chil103

C2

51.89.177.20:443

194.5.249.174:443

107.174.196.242:443

185.205.209.241:443

82.146.46.220:443

5.34.178.126:443

212.22.70.65:443

195.123.241.90:443

185.164.32.214:443

198.46.198.139:443

195.123.241.187:443

86.104.194.116:443

195.123.240.252:443

185.164.32.215:443

45.148.120.195:443

45.138.158.32:443

5.149.253.99:443

92.62.65.163:449

88.247.212.56:449

180.211.170.214:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exeREGSVR32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3336	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3336	REGSVR32.exe

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 4 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral2/memory/632-11-0x0000000003390000-0x00000000033BE000-memory.dmp	templ_dll
behavioral2/memory/632-11-0x0000000003390000-0x00000000033BE000-memory.dmp	templ_dll
behavioral2/memory/632-12-0x0000000003400000-0x000000000342C000-memory.dmp	templ_dll
behavioral2/memory/632-12-0x0000000003400000-0x000000000342C000-memory.dmp	templ_dll

Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 3628 WScript.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

632 regsvr32.exe

flow	pid	process
5	3628	WScript.exe

pid	process
632	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings rundll32.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3044 WINWORD.EXE
3044 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 900 wermgr.exe
Token: SeDebugPrivilege 900 wermgr.exe
Token: SeDebugPrivilege 900 wermgr.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings	rundll32.exe

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3044	WINWORD.EXE
3044	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	900	wermgr.exe
Token: SeDebugPrivilege	900	wermgr.exe
Token: SeDebugPrivilege	900	wermgr.exe

pid	process
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exeREGSVR32.exeregsvr32.exe

description	pid	process	target process
PID 2668 wrote to memory of 3628	2668	rundll32.exe	WScript.exe
PID 2668 wrote to memory of 3628	2668	rundll32.exe	WScript.exe
PID 552 wrote to memory of 632	552	REGSVR32.exe	regsvr32.exe
PID 552 wrote to memory of 632	552	REGSVR32.exe	regsvr32.exe
PID 552 wrote to memory of 632	552	REGSVR32.exe	regsvr32.exe
PID 632 wrote to memory of 900	632	regsvr32.exe	wermgr.exe
PID 632 wrote to memory of 900	632	regsvr32.exe	wermgr.exe
PID 632 wrote to memory of 900	632	regsvr32.exe	wermgr.exe
PID 632 wrote to memory of 900	632	regsvr32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Notification082520.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\system32\rundll32.exe
rundll32.exe zipfldr.dll,RouteTheCall c:\syslogs\fa.vbs
1⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\syslogs\fa.vbs"
  2⤵
  - Blacklisted process makes network request
  PID:3628

C:\Windows\system32\REGSVR32.exe
REGSVR32 -s c:\syslogs\w_monitor.dll
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\regsvr32.exe
  -s c:\syslogs\w_monitor.dll
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\syslogs\fa.vbs

Download Submit
\??\c:\syslogs\w_monitor.dll

Download Submit
\syslogs\w_monitor.dll

Download Submit
memory/632-9-0x0000000000000000-mapping.dmp

Download
memory/632-11-0x0000000003390000-0x00000000033BE000-memory.dmp

Filesize
184KB

Download
memory/632-12-0x0000000003400000-0x000000000342C000-memory.dmp

Filesize
176KB

Download
memory/900-13-0x0000000000000000-mapping.dmp

Download
memory/3044-0-0x00007FFBC8230000-0x00007FFBC88F6000-memory.dmp

Filesize
6.8MB

Download
memory/3628-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads