trickbot | 22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1

General

Target

131.doc
Size

534KB
MD5

3e241f5a1e7be77f25078560c8660351
SHA1

ba25c371e75d1a52c1f41c163dc8840626423948
SHA256

22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1
SHA512

4f031f6a3e44687ca65ceec847aacf3053feec0882bd5c07febef85ba1a7570ec1f4357446dfc84226448e1d8eb342066eeb3e6e7394d53caadd66223a2ff345

Score

10^/10

spyware trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3212 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ipecho.net

pid	process
3212	regsvr32.exe

flow	ioc
32	ipecho.net

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30837872"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30837872"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1900678942"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1889133050"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "307073298"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C1839C5-F863-11EA-BEC3-CE2BBF8BD1B2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1889133050"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "307056704"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30837872"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "307105290"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1064 WINWORD.EXE
1064 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2716 wermgr.exe
Token: SeDebugPrivilege 2716 wermgr.exe
Token: SeDebugPrivilege 2716 wermgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2056 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2716	wermgr.exe
Token: SeDebugPrivilege	2716	wermgr.exe
Token: SeDebugPrivilege	2716	wermgr.exe

pid	process
2056	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXE

pid	process
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
1064	WINWORD.EXE
2056	iexplore.exe
2056	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exeiexplore.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3356 wrote to memory of 1348	3356	WScript.exe	cmd.exe
PID 3356 wrote to memory of 1348	3356	WScript.exe	cmd.exe
PID 2056 wrote to memory of 2180	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2180	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2180	2056	iexplore.exe	IEXPLORE.EXE
PID 3356 wrote to memory of 2456	3356	WScript.exe	certutil.exe
PID 3356 wrote to memory of 2456	3356	WScript.exe	certutil.exe
PID 3356 wrote to memory of 1440	3356	WScript.exe	regsvr32.exe
PID 3356 wrote to memory of 1440	3356	WScript.exe	regsvr32.exe
PID 1440 wrote to memory of 3212	1440	regsvr32.exe	regsvr32.exe
PID 1440 wrote to memory of 3212	1440	regsvr32.exe	regsvr32.exe
PID 1440 wrote to memory of 3212	1440	regsvr32.exe	regsvr32.exe
PID 3212 wrote to memory of 2716	3212	regsvr32.exe	wermgr.exe
PID 3212 wrote to memory of 2716	3212	regsvr32.exe	wermgr.exe
PID 3212 wrote to memory of 2716	3212	regsvr32.exe	wermgr.exe
PID 3212 wrote to memory of 2716	3212	regsvr32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
  2⤵
  PID:1348
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
  2⤵
  PID:2456
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\regsvr32.exe
    c:\drad\ONKVD.dll
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drad\ONKVD.dll

Download Submit
C:\ProgramData\openssl.vbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OSIMJSAC.cookie

Download Submit
\??\c:\drad\ONKVD.dll

Download Submit
\Drad\ONKVD.dll

Download Submit
memory/1064-5-0x000001E491050000-0x000001E491094000-memory.dmp

Filesize
272KB

Download
memory/1064-3-0x000001E489D74000-0x000001E489DAD000-memory.dmp

Filesize
228KB

Download
memory/1064-6-0x000001E491050000-0x000001E491094000-memory.dmp

Filesize
272KB

Download
memory/1064-0-0x00007FFEF8AE0000-0x00007FFEF91A6000-memory.dmp

Filesize
6.8MB

Download
memory/1064-4-0x000001E491050000-0x000001E491094000-memory.dmp

Filesize
272KB

Download
memory/1064-1-0x000001E489D74000-0x000001E489DAD000-memory.dmp

Filesize
228KB

Download
memory/1064-2-0x000001E491050000-0x000001E491094000-memory.dmp

Filesize
272KB

Download
memory/1348-10-0x0000000000000000-mapping.dmp

Download
memory/1440-14-0x0000000000000000-mapping.dmp

Download
memory/2180-11-0x0000000000000000-mapping.dmp

Download
memory/2456-12-0x0000000000000000-mapping.dmp

Download
memory/2716-20-0x0000000000000000-mapping.dmp

Download
memory/3212-16-0x0000000000000000-mapping.dmp

Download
memory/3212-19-0x0000000000A20000-0x0000000000A56000-memory.dmp

Filesize
216KB

Download
memory/3212-18-0x00000000009E0000-0x0000000000A17000-memory.dmp

Filesize
220KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads