trickbot | 1e3b06fde57c0de4fa8b07820df90cf53b1e38d70bddecb465768d734f7c55d3

General

Target

order_summary_9345CH59.xlsm
Size

210KB
MD5

f86a5b64dc165b3c9131817765aaab08
SHA1

07a64bcfa310fb21afd883348a6b539b35282a70
SHA256

1e3b06fde57c0de4fa8b07820df90cf53b1e38d70bddecb465768d734f7c55d3
SHA512

9f59d9d4414ea4a5da1d1a52cc94c5a97daba2de24c4cbf37c0df34f1de905f8a7f1813d9b38bf6eb77bab308b198f86292542c22c971212a12af5fe59bc343b

Score

10^/10

trickbot sat4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://162.248.227.64/1510.dll

Extracted

Family

trickbot

Version

100019

Botnet

sat4

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5004	2324	regsvr32.exe	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1164 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 myexternalip.com

pid	process
1164	regsvr32.exe

flow	ioc
45	myexternalip.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2324 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4120 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	4120	wermgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE
2324	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2324 wrote to memory of 5004	2324	EXCEL.EXE	regsvr32.exe
PID 2324 wrote to memory of 5004	2324	EXCEL.EXE	regsvr32.exe
PID 5004 wrote to memory of 1164	5004	regsvr32.exe	regsvr32.exe
PID 5004 wrote to memory of 1164	5004	regsvr32.exe	regsvr32.exe
PID 5004 wrote to memory of 1164	5004	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 4132	1164	regsvr32.exe	cmd.exe
PID 1164 wrote to memory of 4132	1164	regsvr32.exe	cmd.exe
PID 1164 wrote to memory of 4132	1164	regsvr32.exe	cmd.exe
PID 1164 wrote to memory of 4120	1164	regsvr32.exe	wermgr.exe
PID 1164 wrote to memory of 4120	1164	regsvr32.exe	wermgr.exe
PID 1164 wrote to memory of 4120	1164	regsvr32.exe	wermgr.exe
PID 1164 wrote to memory of 4120	1164	regsvr32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\order_summary_9345CH59.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 -silent C:\Datop\test.test
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\regsvr32.exe
-silent C:\Datop\test.test
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:4132

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Datop\test.test
MD5
774004403840a8b6130c04982e0ba462

SHA1
fdf24846bdf1483745cf07de67ee7dd1f05531d7

SHA256
47c38c85bd84a505e7ecd2dca0da23252882c9ef9ce474d69c1a51262def7d78

SHA512
38c0dab8d8ca6f3349f41e3d83ec725de58420abe59b077d47e2e609973d4a65cf86679b82170fd8f3dfb238c38794f015227ea05b5ac4dcde933274d6f11fc3

Download Submit
\Datop\test.test
MD5
774004403840a8b6130c04982e0ba462

SHA1
fdf24846bdf1483745cf07de67ee7dd1f05531d7

SHA256
47c38c85bd84a505e7ecd2dca0da23252882c9ef9ce474d69c1a51262def7d78

SHA512
38c0dab8d8ca6f3349f41e3d83ec725de58420abe59b077d47e2e609973d4a65cf86679b82170fd8f3dfb238c38794f015227ea05b5ac4dcde933274d6f11fc3

Download Submit
memory/1164-270-0x00000000036C1000-0x00000000036C3000-memory.dmp

Filesize
8KB

Download
memory/1164-269-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1164-267-0x0000000004F60000-0x0000000004F99000-memory.dmp

Filesize
228KB

Download
memory/1164-268-0x00000000050A0000-0x00000000050E5000-memory.dmp

Filesize
276KB

Download
memory/1164-258-0x0000000000000000-mapping.dmp

Download
memory/2324-119-0x0000028E27C40000-0x0000028E27C42000-memory.dmp

Filesize
8KB

Download
memory/2324-122-0x0000028E27C40000-0x0000028E27C42000-memory.dmp

Filesize
8KB

Download
memory/2324-121-0x00007FFBE8080000-0x00007FFBE8090000-memory.dmp

Filesize
64KB

Download
memory/2324-120-0x0000028E27C40000-0x0000028E27C42000-memory.dmp

Filesize
8KB

Download
memory/2324-115-0x00007FFBE8080000-0x00007FFBE8090000-memory.dmp

Filesize
64KB

Download
memory/2324-118-0x00007FFBE8080000-0x00007FFBE8090000-memory.dmp

Filesize
64KB

Download
memory/2324-117-0x00007FFBE8080000-0x00007FFBE8090000-memory.dmp

Filesize
64KB

Download
memory/2324-116-0x00007FFBE8080000-0x00007FFBE8090000-memory.dmp

Filesize
64KB

Download
memory/4120-273-0x0000000000000000-mapping.dmp

Download
memory/4120-275-0x000002180A3D0000-0x000002180A3D1000-memory.dmp

Filesize
4KB

Download
memory/4120-274-0x000002180A2B0000-0x000002180A2D9000-memory.dmp

Filesize
164KB

Download
memory/5004-256-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads