trickbot | 1ac0a5d6cd95999191d117af62b11ddf8468639541cfdb8d6ddec215c037e001

General

Target

Documents.lnk
Size

1KB
MD5

0c87cf536140349af097d10fd388e8d8
SHA1

a8e880685cf6cce8c3d254de7420649fa4e881b8
SHA256

d43f97b1e8bc5537b0820c22abaab7fee4747767464cdfbef6758b678c998331
SHA512

63589bfde2c1211553ddd64f4c77c6f3a06a2576edd25aad67936f77735d35152f025c029aeefb2427d12e1eaa565794774f49da131fee7f68829002373b1a2e

Score

10^/10

trickbot leg1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

leg1

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4240 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4268 wermgr.exe

pid	process
4240	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4268	wermgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3596 wrote to memory of 3936	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 3936	3596	cmd.exe	cmd.exe
PID 3936 wrote to memory of 4016	3936	cmd.exe	xcopy.exe
PID 3936 wrote to memory of 4016	3936	cmd.exe	xcopy.exe
PID 3936 wrote to memory of 4352	3936	cmd.exe	rundll32.exe
PID 3936 wrote to memory of 4352	3936	cmd.exe	rundll32.exe
PID 4352 wrote to memory of 4240	4352	rundll32.exe	rundll32.exe
PID 4352 wrote to memory of 4240	4352	rundll32.exe	rundll32.exe
PID 4352 wrote to memory of 4240	4352	rundll32.exe	rundll32.exe
PID 4240 wrote to memory of 4256	4240	rundll32.exe	cmd.exe
PID 4240 wrote to memory of 4256	4240	rundll32.exe	cmd.exe
PID 4240 wrote to memory of 4256	4240	rundll32.exe	cmd.exe
PID 4240 wrote to memory of 4268	4240	rundll32.exe	wermgr.exe
PID 4240 wrote to memory of 4268	4240	rundll32.exe	wermgr.exe
PID 4240 wrote to memory of 4268	4240	rundll32.exe	wermgr.exe
PID 4240 wrote to memory of 4268	4240	rundll32.exe	wermgr.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C xcopy /H /y Documents.tmp c:\programdata && start rundll32.exe c:\programdata\Documents.tmp,DllRegisterServer && del Documents.lnk && del Documents.tmp && mkdir Documents && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\xcopy.exe
xcopy /H /y Documents.tmp c:\programdata
3⤵
PID:4016

C:\Windows\system32\rundll32.exe
rundll32.exe c:\programdata\Documents.tmp,DllRegisterServer
3⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\programdata\Documents.tmp,DllRegisterServer
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
5⤵
PID:4256

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\Documents.tmp
MD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7

SHA1
ddaed871b9f95a758b89c856a6d4ccf7751b8103

SHA256
7a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7

SHA512
46559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13

Download Submit
\ProgramData\Documents.tmp
MD5
ac1d4a51b8c1f7f98a1033e5bc2e1de7

SHA1
ddaed871b9f95a758b89c856a6d4ccf7751b8103

SHA256
7a297e62cd649ae1763acd89bcf2135eebf6b3a910ca60621d84e004b078beb7

SHA512
46559ffb39468f79be481bb0078daadb37ba2874e448eb9dafb7e24337ba44aca18cf80c87d942069bfed4bb9fe138f54259f9bd35ec91d000ac79a3df0eac13

Download Submit
memory/3936-115-0x0000000000000000-mapping.dmp

Download
memory/4016-116-0x0000000000000000-mapping.dmp

Download
memory/4240-121-0x00000000047D0000-0x0000000004A38000-memory.dmp

Filesize
2.4MB

Download
memory/4240-119-0x0000000000000000-mapping.dmp

Download
memory/4240-122-0x0000000004B50000-0x0000000004B95000-memory.dmp

Filesize
276KB

Download
memory/4240-123-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4240-124-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/4268-125-0x0000000000000000-mapping.dmp

Download
memory/4268-126-0x00000260C7EC0000-0x00000260C7EE9000-memory.dmp

Filesize
164KB

Download
memory/4268-127-0x00000260C80D0000-0x00000260C80D1000-memory.dmp

Filesize
4KB

Download
memory/4268-129-0x00000260C82A0000-0x00000260C82A2000-memory.dmp

Filesize
8KB

Download
memory/4268-128-0x00000260C82A0000-0x00000260C82A2000-memory.dmp

Filesize
8KB

Download
memory/4352-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing