trickbot | 22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1

General

Target

131.doc
Size

534KB
MD5

3e241f5a1e7be77f25078560c8660351
SHA1

ba25c371e75d1a52c1f41c163dc8840626423948
SHA256

22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1
SHA512

4f031f6a3e44687ca65ceec847aacf3053feec0882bd5c07febef85ba1a7570ec1f4357446dfc84226448e1d8eb342066eeb3e6e7394d53caadd66223a2ff345

Score

10^/10

trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

804 regsvr32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 api.ipify.org
41 api.ipify.org

pid	process
804	regsvr32.exe

flow	ioc
40	api.ipify.org
41	api.ipify.org

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30837893"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3557124894"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3563062566"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30837893"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "307065890"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF7F4426-F878-11EA-95F0-DA5369A961A0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30837893"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3556968764"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "307082484"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "307114475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

4048 WINWORD.EXE
4048 WINWORD.EXE
208 WINWORD.EXE
208 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1992 wermgr.exe
Token: SeDebugPrivilege 1992 wermgr.exe
Token: SeDebugPrivilege 1992 wermgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1508 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1992	wermgr.exe
Token: SeDebugPrivilege	1992	wermgr.exe
Token: SeDebugPrivilege	1992	wermgr.exe

pid	process
1508	iexplore.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

WINWORD.EXEWINWORD.EXEiexplore.exeIEXPLORE.EXE

pid	process
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
4048	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
208	WINWORD.EXE
1508	iexplore.exe
1508	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exeiexplore.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3684 wrote to memory of 4044	3684	WScript.exe	cmd.exe
PID 3684 wrote to memory of 4044	3684	WScript.exe	cmd.exe
PID 1508 wrote to memory of 1160	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1160	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1160	1508	iexplore.exe	IEXPLORE.EXE
PID 3684 wrote to memory of 3760	3684	WScript.exe	certutil.exe
PID 3684 wrote to memory of 3760	3684	WScript.exe	certutil.exe
PID 3684 wrote to memory of 3748	3684	WScript.exe	regsvr32.exe
PID 3684 wrote to memory of 3748	3684	WScript.exe	regsvr32.exe
PID 3748 wrote to memory of 804	3748	regsvr32.exe	regsvr32.exe
PID 3748 wrote to memory of 804	3748	regsvr32.exe	regsvr32.exe
PID 3748 wrote to memory of 804	3748	regsvr32.exe	regsvr32.exe
PID 804 wrote to memory of 1992	804	regsvr32.exe	wermgr.exe
PID 804 wrote to memory of 1992	804	regsvr32.exe	wermgr.exe
PID 804 wrote to memory of 1992	804	regsvr32.exe	wermgr.exe
PID 804 wrote to memory of 1992	804	regsvr32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3980

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:208

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
  2⤵
  PID:4044
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
  2⤵
  PID:3760
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\regsvr32.exe
    c:\drad\ONKVD.dll
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drad\ONKVD.dll

Download Submit
C:\ProgramData\openssl.vbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NJBYJG7J.cookie

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Download Submit
\??\c:\drad\ONKVD.dll

Download Submit
\Drad\ONKVD.dll

Download Submit
memory/208-9-0x0000014BED170000-0x0000014BED174000-memory.dmp

Filesize
16KB

Download
memory/208-3-0x00007FFDCD1A0000-0x00007FFDCD866000-memory.dmp

Filesize
6.8MB

Download
memory/804-31-0x0000000000910000-0x0000000000947000-memory.dmp

Filesize
220KB

Download
memory/804-29-0x0000000000000000-mapping.dmp

Download
memory/804-32-0x0000000000950000-0x0000000000986000-memory.dmp

Filesize
216KB

Download
memory/1160-24-0x0000000000000000-mapping.dmp

Download
memory/1992-33-0x0000000000000000-mapping.dmp

Download
memory/3748-27-0x0000000000000000-mapping.dmp

Download
memory/3760-25-0x0000000000000000-mapping.dmp

Download
memory/4044-23-0x0000000000000000-mapping.dmp

Download
memory/4048-0-0x00007FFDCD1A0000-0x00007FFDCD866000-memory.dmp

Filesize
6.8MB

Download
memory/4048-2-0x00007FFDCEC00000-0x00007FFDD1763000-memory.dmp

Filesize
43.4MB

Download
memory/4048-1-0x00007FFDCEC00000-0x00007FFDD1763000-memory.dmp

Filesize
43.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads