trickbot | fdf0bbffa4a066cc58dbbb2f0c11b46757eb6466cd752bce6c6c75dabd69012e

General

Target

deed contract,07.21.doc
Size

74KB
MD5

2d0088012b6c1f399e946a8e5b513e36
SHA1

25b7290bf78fce2951ee78df721994890b2d8aad
SHA256

f6c286e79ec7023e8ff292c6f71ad0ecc8fef8463e8d2fe1aa0d527c3d833b01
SHA512

4a2b1d82a52cf7b268a5abdcac5e17b0d080e18de23bebbd9bb2b39484ff42a525b339dd05f9cd86d38f244d0ba819429cac8d49355e69afea764b435fefd8f4

Score

10^/10

trickbot zev4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev4

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1396	1748	cmd.exe	WINWORD.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 1768 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1720 regsvr32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ident.me
13 ident.me
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
5	1768	mshta.exe

pid	process
1720	regsvr32.exe

flow	ioc
12	ident.me
13	ident.me

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1748 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1968 wermgr.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

1748 WINWORD.EXE
1748 WINWORD.EXE
1748 WINWORD.EXE

pid	process
1748	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1968	wermgr.exe

pid	process
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exeregsvr32.exe

description	pid	process	target process
PID 1748 wrote to memory of 1396	1748	WINWORD.EXE	cmd.exe
PID 1748 wrote to memory of 1396	1748	WINWORD.EXE	cmd.exe
PID 1748 wrote to memory of 1396	1748	WINWORD.EXE	cmd.exe
PID 1748 wrote to memory of 1396	1748	WINWORD.EXE	cmd.exe
PID 1396 wrote to memory of 1768	1396	cmd.exe	mshta.exe
PID 1396 wrote to memory of 1768	1396	cmd.exe	mshta.exe
PID 1396 wrote to memory of 1768	1396	cmd.exe	mshta.exe
PID 1396 wrote to memory of 1768	1396	cmd.exe	mshta.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1768 wrote to memory of 1720	1768	mshta.exe	regsvr32.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe
PID 1748 wrote to memory of 868	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 868	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 868	1748	WINWORD.EXE	splwow64.exe
PID 1748 wrote to memory of 868	1748	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe
PID 1720 wrote to memory of 1968	1720	regsvr32.exe	wermgr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,07.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\programdata\funcToProc.hta
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\funcToProc.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\funcToProc.jpg
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\funcToProc.hta
MD5
bc4be77135061df095a403023bae0109

SHA1
2fc60dd93271d314a961e47e18b64ab28ae8d327

SHA256
dc57fcce608c4997a28a47c3ba309091a6ca6920b91ec8fa5b859c7fb94193f3

SHA512
b002a6527ba4b8d7b0616929bf4dac29341d65798c6fd2ecb45a331de0a9a5753f0cc3d64caf51e7edea1a3b0faa42998dd54abb51a5778e80d5252cb3ec9be4

Download Submit
\??\c:\users\public\funcToProc.jpg
MD5
c538f57716e424492b816af505757487

SHA1
2b30d72ff6db80f3c15daf150e000738784f33f6

SHA256
6b1264ddfc4c8124e8f9833a7a7f659c8d39748ecc4d727e4d250eb0d03b5421

SHA512
4c56ca5acd5d56f74a55be95a7cfe1e88e46ea09e15827b37da95a780aec9031472390fc30f6a52be8389f1fe9809b56eb3fe524469dd2361ee2f56ba90d7488

Download Submit
\Users\Public\funcToProc.jpg
MD5
c538f57716e424492b816af505757487

SHA1
2b30d72ff6db80f3c15daf150e000738784f33f6

SHA256
6b1264ddfc4c8124e8f9833a7a7f659c8d39748ecc4d727e4d250eb0d03b5421

SHA512
4c56ca5acd5d56f74a55be95a7cfe1e88e46ea09e15827b37da95a780aec9031472390fc30f6a52be8389f1fe9809b56eb3fe524469dd2361ee2f56ba90d7488

Download Submit
memory/868-76-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/868-75-0x0000000000000000-mapping.dmp

Download
memory/1396-64-0x0000000000000000-mapping.dmp

Download
memory/1720-68-0x0000000000000000-mapping.dmp

Download
memory/1720-73-0x0000000000190000-0x00000000001A1000-memory.dmp

Filesize
68KB

Download
memory/1720-74-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1720-72-0x00000000001F0000-0x000000000022F000-memory.dmp

Filesize
252KB

Download
memory/1748-60-0x0000000072251000-0x0000000072254000-memory.dmp

Filesize
12KB

Download
memory/1748-63-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1748-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1748-61-0x000000006FCD1000-0x000000006FCD3000-memory.dmp

Filesize
8KB

Download
memory/1768-67-0x0000000000000000-mapping.dmp

Download
memory/1968-77-0x0000000000000000-mapping.dmp

Download
memory/1968-79-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1968-78-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads