trickbot | 052c9196dfe764f1fbd3850d706d10601235dc266d1151c93d34454a12206c28

General

Target

boq_6_boq.doc
Size

684KB
MD5

4913959946c7c8d9ff682439eb108928
SHA1

2e77f1b7c588d274bd998dc6dda422363cc6f9ba
SHA256

052c9196dfe764f1fbd3850d706d10601235dc266d1151c93d34454a12206c28
SHA512

b74c1b001c628bc762eda6d724b674b8951380d8eb1e94fdfc59852b67e851b8ca670905e565467431c5c8b0282fe5f6c9f4ba8f0ce41840530959c13ce1c595

Score

10^/10

trojan banker trickbot spyware persistence

Malware Config

Extracted

Family

trickbot

Version

1000513

Botnet

ono76

C2

51.89.177.20:443

194.5.249.174:443

107.174.196.242:443

185.205.209.241:443

82.146.46.220:443

5.34.178.126:443

212.22.70.65:443

195.123.241.90:443

185.164.32.214:443

198.46.198.139:443

195.123.241.187:443

86.104.194.116:443

195.123.240.252:443

185.164.32.215:443

45.148.120.195:443

45.138.158.32:443

5.149.253.99:443

92.62.65.163:449

88.247.212.56:449

180.211.170.214:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	332	1124	explorer.exe	WINWORD.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blacklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

28 332 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1088 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipecho.net

flow	pid	process
28	332	cmd.exe

pid	process
1088	regsvr32.exe

flow	ioc
22	ipecho.net

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe

Office loads VBA resources, possible macro or embedded object present
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1968 net.exe
1956 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1876 ipconfig.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1124 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cmd.execmd.exe

pid process

704 cmd.exe
332 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

1124 WINWORD.EXE

pid	process
1968	net.exe
1956	net.exe

pid	process
1876	ipconfig.exe

pid	process
1124	WINWORD.EXE

pid	process
704	cmd.exe
332	cmd.exe

pid	process
1124	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WINWORD.EXEwermgr.execmd.exe

description	pid	process
Token: SeShutdownPrivilege	1124	WINWORD.EXE
Token: SeDebugPrivilege	1592	wermgr.exe
Token: SeDebugPrivilege	1592	wermgr.exe
Token: SeDebugPrivilege	1592	wermgr.exe
Token: SeDebugPrivilege	704	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1124 WINWORD.EXE
1124 WINWORD.EXE

pid	process
1124	WINWORD.EXE
1124	WINWORD.EXE

Suspicious use of WriteProcessMemory 729 IoCs

Processes:

WINWORD.EXEexplorer.exeWScript.exeregsvr32.exeregsvr32.exewermgr.exe

description	pid	process	target process
PID 1124 wrote to memory of 332	1124	WINWORD.EXE	explorer.exe
PID 1124 wrote to memory of 332	1124	WINWORD.EXE	explorer.exe
PID 1124 wrote to memory of 332	1124	WINWORD.EXE	explorer.exe
PID 1664 wrote to memory of 308	1664	explorer.exe	WScript.exe
PID 1664 wrote to memory of 308	1664	explorer.exe	WScript.exe
PID 1664 wrote to memory of 308	1664	explorer.exe	WScript.exe
PID 308 wrote to memory of 1492	308	WScript.exe	regsvr32.exe
PID 308 wrote to memory of 1492	308	WScript.exe	regsvr32.exe
PID 308 wrote to memory of 1492	308	WScript.exe	regsvr32.exe
PID 308 wrote to memory of 1492	308	WScript.exe	regsvr32.exe
PID 308 wrote to memory of 1492	308	WScript.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1492 wrote to memory of 1088	1492	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1088 wrote to memory of 1592	1088	regsvr32.exe	wermgr.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe
PID 1592 wrote to memory of 704	1592	wermgr.exe	cmd.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\boq_6_boq.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\explorer.exe
explorer c:\programdata\objStreamUTF8NoBOM.Vbe
2⤵
- Process spawned unexpected child process
PID:332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\objStreamUTF8NoBOM.Vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\UTF8NoBOM\APSLVDFB.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\regsvr32.exe
c:\UTF8NoBOM\APSLVDFB.dll
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\system32\ipconfig.exe
ipconfig /all
7⤵
- Modifies service
- Gathers network information
PID:1876

C:\Windows\system32\net.exe
net config workstation
7⤵
PID:1548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
8⤵
PID:1888

C:\Windows\system32\net.exe
net view /all
7⤵
- Discovers systems in the same network
PID:1968

C:\Windows\system32\net.exe
net view /all /domain
7⤵
- Discovers systems in the same network
PID:1956

C:\Windows\system32\nltest.exe
nltest /domain_trusts
7⤵
PID:1856

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
7⤵
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\objStreamUTF8NoBOM.Vbe

Download Submit
\??\c:\UTF8NoBOM\APSLVDFB.dll

Download Submit
\UTF8NoBOM\APSLVDFB.dll

Download Submit
memory/308-16-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download
memory/308-14-0x0000000000000000-mapping.dmp

Download
memory/332-103-0x0000000000190000-0x0000000000190080-memory.dmp

Filesize
128B

Download
memory/332-68-0x0000000000190000-0x0000000000190080-memory.dmp

Filesize
128B

Download
memory/332-12-0x0000000000000000-mapping.dmp

Download
memory/332-120-0x0000000000130000-0x000000000013000D-memory.dmp

Filesize
13B

Download
memory/332-118-0x0000000000160000-0x0000000000160188-memory.dmp

Filesize
392B

Download
memory/332-67-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/332-108-0x0000000000160000-0x0000000000160188-memory.dmp

Filesize
392B

Download
memory/332-71-0x0000000000130000-0x000000000013000D-memory.dmp

Filesize
13B

Download
memory/332-65-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/332-70-0x0000000000150000-0x0000000000150400-memory.dmp

Filesize
1024B

Download
memory/332-57-0x0000000000000000-mapping.dmp

Download
memory/620-117-0x0000000000000000-mapping.dmp

Download
memory/704-23-0x0000000000000000-mapping.dmp

Download
memory/704-35-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/704-36-0x0000000000330000-0x0000000000330017-memory.dmp

Filesize
23B

Download
memory/1088-21-0x0000000001DB0000-0x0000000001DE6000-memory.dmp

Filesize
216KB

Download
memory/1088-20-0x0000000000780000-0x00000000007B8000-memory.dmp

Filesize
224KB

Download
memory/1088-18-0x0000000000000000-mapping.dmp

Download
memory/1124-1-0x0000000007260000-0x000000000730C000-memory.dmp

Filesize
688KB

Download
memory/1124-11-0x00000000084C0000-0x00000000084D1000-memory.dmp

Filesize
68KB

Download
memory/1124-2-0x0000000006260000-0x0000000006264000-memory.dmp

Filesize
16KB

Download
memory/1124-0-0x0000000006260000-0x0000000006264000-memory.dmp

Filesize
16KB

Download
memory/1124-5-0x0000000006260000-0x0000000006264000-memory.dmp

Filesize
16KB

Download
memory/1124-8-0x00000000073E0000-0x00000000073E4000-memory.dmp

Filesize
16KB

Download
memory/1124-6-0x00000000073E0000-0x00000000073E4000-memory.dmp

Filesize
16KB

Download
memory/1492-15-0x0000000000000000-mapping.dmp

Download
memory/1548-111-0x0000000000000000-mapping.dmp

Download
memory/1592-22-0x0000000000000000-mapping.dmp

Download
memory/1856-116-0x0000000000000000-mapping.dmp

Download
memory/1876-109-0x0000000000000000-mapping.dmp

Download
memory/1888-112-0x0000000000000000-mapping.dmp

Download
memory/1956-114-0x0000000000000000-mapping.dmp

Download
memory/1968-113-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads