trickbot | f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70

General

Target

legislate 09.21.doc
Size

69KB
MD5

24001fc51ff0994fe9c43b4653918f5e
SHA1

ae3b0439ed5fc269887d0094c8afac934e7d8980
SHA256

f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
SHA512

28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa

Score

10^/10

trickbot zem1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

zem1

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	536	1960	explorer.exe	WINWORD.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

7 572 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

760 regsvr32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ident.me
15 ident.me
Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description ioc process

File created C:\Windows\system32\cn\zlrkod.txt wermgr.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1824 net.exe
1356 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1888 ipconfig.exe

flow	pid	process
7	572	mshta.exe

pid	process
760	regsvr32.exe

flow	ioc
14	ident.me
15	ident.me

description	ioc	process
File created	C:\Windows\system32\cn\zlrkod.txt	wermgr.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1824	net.exe
1356	net.exe

pid	process
1888	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1980 svchost.exe
632 svchost.exe
632 svchost.exe
1892 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1276 wermgr.exe
Token: SeDebugPrivilege 1980 svchost.exe
Token: SeDebugPrivilege 632 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
1960 WINWORD.EXE

pid	process
1960	WINWORD.EXE

pid	process
1980	svchost.exe
632	svchost.exe
632	svchost.exe
1892	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1276	wermgr.exe
Token: SeDebugPrivilege	1980	svchost.exe
Token: SeDebugPrivilege	632	svchost.exe

pid	process
1960	WINWORD.EXE
1960	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEexplorer.exemshta.exeregsvr32.exewermgr.exe

description	pid	process	target process
PID 1960 wrote to memory of 1660	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1660	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1660	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1660	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 536	1960	WINWORD.EXE	explorer.exe
PID 1960 wrote to memory of 536	1960	WINWORD.EXE	explorer.exe
PID 1960 wrote to memory of 536	1960	WINWORD.EXE	explorer.exe
PID 1960 wrote to memory of 536	1960	WINWORD.EXE	explorer.exe
PID 1676 wrote to memory of 572	1676	explorer.exe	mshta.exe
PID 1676 wrote to memory of 572	1676	explorer.exe	mshta.exe
PID 1676 wrote to memory of 572	1676	explorer.exe	mshta.exe
PID 1676 wrote to memory of 572	1676	explorer.exe	mshta.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 572 wrote to memory of 760	572	mshta.exe	regsvr32.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 760 wrote to memory of 1276	760	regsvr32.exe	wermgr.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe
PID 1276 wrote to memory of 1980	1276	wermgr.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1660

C:\Windows\SysWOW64\explorer.exe
explorer caDePw.hta
2⤵
- Process spawned unexpected child process
PID:536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\system32\cmd.exe
/c ipconfig /all
6⤵
PID:2032

C:\Windows\system32\ipconfig.exe
ipconfig /all
7⤵
- Gathers network information
PID:1888

C:\Windows\system32\cmd.exe
/c net config workstation
6⤵
PID:808

C:\Windows\system32\net.exe
net config workstation
7⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
8⤵
PID:968

C:\Windows\system32\cmd.exe
/c net view /all
6⤵
PID:1680

C:\Windows\system32\net.exe
net view /all
7⤵
- Discovers systems in the same network
PID:1824

C:\Windows\system32\cmd.exe
/c net view /all /domain
6⤵
PID:1912

C:\Windows\system32\net.exe
net view /all /domain
7⤵
- Discovers systems in the same network
PID:1356

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
6⤵
PID:1340

C:\Windows\system32\nltest.exe
nltest /domain_trusts
7⤵
PID:1516

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
6⤵
PID:1556

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
7⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caDePw.hta
MD5
ce58d7ae8af9827a672b129d60c916d9

SHA1
498a881eb9e1960793654c7afc9406193e7c8db0

SHA256
b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84

SHA512
7bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1

Download Submit
\??\PIPE\browser
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\public\caDePw.jpg
MD5
51cadb33db8286759383a1abe67977f4

SHA1
25322ee0e419802cd09b35a1d25c9b8a0583944a

SHA256
61a2c852be95d33e301b61704853bee40419b973464628b64d2452cdecad5777

SHA512
f2dacec3105af520713f05115e371fa9551819d7228677f392c77e5442c02f70afccd7ee952858ce0d85895364e8c47be15fe6ed7a8620b1cbe6e4e5b83c70d5

Download Submit
\Users\Public\caDePw.jpg
MD5
51cadb33db8286759383a1abe67977f4

SHA1
25322ee0e419802cd09b35a1d25c9b8a0583944a

SHA256
61a2c852be95d33e301b61704853bee40419b973464628b64d2452cdecad5777

SHA512
f2dacec3105af520713f05115e371fa9551819d7228677f392c77e5442c02f70afccd7ee952858ce0d85895364e8c47be15fe6ed7a8620b1cbe6e4e5b83c70d5

Download Submit
memory/536-59-0x0000000000000000-mapping.dmp

Download
memory/536-61-0x000000006B761000-0x000000006B763000-memory.dmp

Filesize
8KB

Download
memory/572-64-0x0000000000000000-mapping.dmp

Download
memory/632-86-0x0000000000000000-mapping.dmp

Download
memory/760-75-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/760-74-0x0000000000610000-0x0000000000655000-memory.dmp

Filesize
276KB

Download
memory/760-71-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download
memory/760-65-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x0000000000271000-0x0000000000273000-memory.dmp

Filesize
8KB

Download
memory/760-69-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/808-98-0x0000000000000000-mapping.dmp

Download
memory/968-100-0x0000000000000000-mapping.dmp

Download
memory/1276-78-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1276-79-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1276-77-0x0000000000000000-mapping.dmp

Download
memory/1340-106-0x0000000000000000-mapping.dmp

Download
memory/1356-104-0x0000000000000000-mapping.dmp

Download
memory/1404-99-0x0000000000000000-mapping.dmp

Download
memory/1508-90-0x0000000000000000-mapping.dmp

Download
memory/1516-107-0x0000000000000000-mapping.dmp

Download
memory/1556-108-0x0000000000000000-mapping.dmp

Download
memory/1660-58-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download
memory/1680-101-0x0000000000000000-mapping.dmp

Download
memory/1756-109-0x0000000000000000-mapping.dmp

Download
memory/1824-102-0x0000000000000000-mapping.dmp

Download
memory/1888-97-0x0000000000000000-mapping.dmp

Download
memory/1892-93-0x0000000180000000-0x000000018000A000-memory.dmp

Filesize
40KB

Download
memory/1892-92-0x0000000000000000-mapping.dmp

Download
memory/1912-103-0x0000000000000000-mapping.dmp

Download
memory/1960-53-0x0000000072AB1000-0x0000000072AB4000-memory.dmp

Filesize
12KB

Download
memory/1960-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1960-54-0x0000000070531000-0x0000000070533000-memory.dmp

Filesize
8KB

Download
memory/1960-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1960-56-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1980-85-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1980-81-0x0000000000000000-mapping.dmp

Download
memory/2032-96-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads