trickbot | c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a

General

Target

trick.dll
Size

272KB
MD5

5f7b5a98f75f4aa550e4368eb6dc9733
SHA1

d835a309e249f5d526529b9a28ed138b1bcfd40b
SHA256

c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a
SHA512

167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac

Score

10^/10

trickbot rob7 banker persistence spyware trojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

rob7

C2

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blacklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

36 1328 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ident.me
21 ident.me

flow	pid	process
36	1328	cmd.exe

flow	ioc
20	ident.me
21	ident.me

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\notepad.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1848 net.exe
852 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1584 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cmd.execmd.exe

pid process

820 cmd.exe
1328 cmd.exe
820 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.execmd.exe

description pid process

Token: SeDebugPrivilege 1768 wermgr.exe
Token: SeDebugPrivilege 820 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	regsvr32.exe

pid	process
1848	net.exe
852	net.exe

pid	process
1584	ipconfig.exe

pid	process
820	cmd.exe
1328	cmd.exe
820	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1768	wermgr.exe
Token: SeDebugPrivilege	820	cmd.exe

Suspicious use of WriteProcessMemory 721 IoCs

Processes:

regsvr32.exeregsvr32.exewermgr.exe

description	pid	process	target process
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1628	2028	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1628 wrote to memory of 1768	1628	regsvr32.exe	wermgr.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe
PID 1768 wrote to memory of 820	1768	wermgr.exe	cmd.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\trick.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\trick.dll
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Modifies service
- Gathers network information
PID:1584

C:\Windows\system32\net.exe
net config workstation
5⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:1228

C:\Windows\system32\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:1848

C:\Windows\system32\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:852

C:\Windows\system32\nltest.exe
nltest /domain_trusts
5⤵
PID:1964

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
5⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-5-0x0000000000000000-mapping.dmp

Download
memory/820-96-0x0000000000330000-0x0000000000330017-memory.dmp

Filesize
23B

Download
memory/820-17-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/820-18-0x0000000000330000-0x0000000000330017-memory.dmp

Filesize
23B

Download
memory/852-89-0x0000000000000000-mapping.dmp

Download
memory/1228-87-0x0000000000000000-mapping.dmp

Download
memory/1328-83-0x0000000000250000-0x0000000000250188-memory.dmp

Filesize
392B

Download
memory/1328-40-0x0000000000000000-mapping.dmp

Download
memory/1328-95-0x0000000000230000-0x000000000023000D-memory.dmp

Filesize
13B

Download
memory/1328-93-0x0000000000250000-0x0000000000250188-memory.dmp

Filesize
392B

Download
memory/1328-50-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/1328-51-0x0000000000240000-0x0000000000240400-memory.dmp

Filesize
1024B

Download
memory/1328-52-0x0000000000230000-0x000000000023000D-memory.dmp

Filesize
13B

Download
memory/1328-48-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/1580-92-0x0000000000000000-mapping.dmp

Download
memory/1584-84-0x0000000000000000-mapping.dmp

Download
memory/1628-1-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/1628-2-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download
memory/1628-0-0x0000000000000000-mapping.dmp

Download
memory/1628-3-0x0000000001DE0000-0x0000000001E16000-memory.dmp

Filesize
216KB

Download
memory/1768-4-0x0000000000000000-mapping.dmp

Download
memory/1848-88-0x0000000000000000-mapping.dmp

Download
memory/1964-91-0x0000000000000000-mapping.dmp

Download
memory/2000-86-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing