trickbot | f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70

General

Target

legislate 09.21.doc
Size

69KB
MD5

24001fc51ff0994fe9c43b4653918f5e
SHA1

ae3b0439ed5fc269887d0094c8afac934e7d8980
SHA256

f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
SHA512

28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa

Score

10^/10

trickbot zem1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

zem1

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1700	2000	explorer.exe	WINWORD.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 1092 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1132 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipecho.net
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
6	1092	mshta.exe

pid	process
1132	regsvr32.exe

flow	ioc
15	ipecho.net

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2000 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2020 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2000 WINWORD.EXE
2000 WINWORD.EXE

pid	process
2000	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2020	wermgr.exe

pid	process
2000	WINWORD.EXE
2000	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

WINWORD.EXEexplorer.exemshta.exeregsvr32.exe

description	pid	process	target process
PID 2000 wrote to memory of 1592	2000	WINWORD.EXE	splwow64.exe
PID 2000 wrote to memory of 1592	2000	WINWORD.EXE	splwow64.exe
PID 2000 wrote to memory of 1592	2000	WINWORD.EXE	splwow64.exe
PID 2000 wrote to memory of 1592	2000	WINWORD.EXE	splwow64.exe
PID 2000 wrote to memory of 1700	2000	WINWORD.EXE	explorer.exe
PID 2000 wrote to memory of 1700	2000	WINWORD.EXE	explorer.exe
PID 2000 wrote to memory of 1700	2000	WINWORD.EXE	explorer.exe
PID 2000 wrote to memory of 1700	2000	WINWORD.EXE	explorer.exe
PID 280 wrote to memory of 1092	280	explorer.exe	mshta.exe
PID 280 wrote to memory of 1092	280	explorer.exe	mshta.exe
PID 280 wrote to memory of 1092	280	explorer.exe	mshta.exe
PID 280 wrote to memory of 1092	280	explorer.exe	mshta.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1092 wrote to memory of 1132	1092	mshta.exe	regsvr32.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe
PID 1132 wrote to memory of 2020	1132	regsvr32.exe	wermgr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1592

C:\Windows\SysWOW64\explorer.exe
explorer caDePw.hta
2⤵
- Process spawned unexpected child process
PID:1700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caDePw.hta
MD5
ce58d7ae8af9827a672b129d60c916d9

SHA1
498a881eb9e1960793654c7afc9406193e7c8db0

SHA256
b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84

SHA512
7bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1

Download Submit
\??\c:\users\public\caDePw.jpg
MD5
a72b41be79e3fba13890f3487e6e794b

SHA1
180ec439b27f512428550d3a199edcd013754602

SHA256
b4095d1c356a145cca001102abd0ad719a1798594756d20e198f92a39ba21af7

SHA512
4c21d93e14aea94afca3378b6adbddad2c0ddc579d1bf81e437da2b42d1228992ffe61532a3055af9e794144c3ff0f8f31aff9c9e297a0dba41d649af614a3d6

Download Submit
\Users\Public\caDePw.jpg
MD5
a72b41be79e3fba13890f3487e6e794b

SHA1
180ec439b27f512428550d3a199edcd013754602

SHA256
b4095d1c356a145cca001102abd0ad719a1798594756d20e198f92a39ba21af7

SHA512
4c21d93e14aea94afca3378b6adbddad2c0ddc579d1bf81e437da2b42d1228992ffe61532a3055af9e794144c3ff0f8f31aff9c9e297a0dba41d649af614a3d6

Download Submit
memory/1092-70-0x0000000000000000-mapping.dmp

Download
memory/1132-82-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/1132-83-0x00000000004E1000-0x00000000004E3000-memory.dmp

Filesize
8KB

Download
memory/1132-81-0x0000000000490000-0x00000000004D5000-memory.dmp

Filesize
276KB

Download
memory/1132-78-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/1132-76-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/1132-72-0x0000000000000000-mapping.dmp

Download
memory/1592-63-0x0000000000000000-mapping.dmp

Download
memory/1592-64-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1700-67-0x000000006BB11000-0x000000006BB13000-memory.dmp

Filesize
8KB

Download
memory/1700-65-0x0000000000000000-mapping.dmp

Download
memory/2000-62-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-60-0x00000000707D1000-0x00000000707D3000-memory.dmp

Filesize
8KB

Download
memory/2000-59-0x0000000072D51000-0x0000000072D54000-memory.dmp

Filesize
12KB

Download
memory/2000-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-84-0x0000000000000000-mapping.dmp

Download
memory/2020-86-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2020-85-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads