trickbot | 136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15810fb5f100a3a2d21e4c2288dc1a88_JaffaCakes118.vbs
Size

636KB
MD5

15810fb5f100a3a2d21e4c2288dc1a88
SHA1

834308004280f11a459f764d9e2339c34dc5d7f1
SHA256

136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6
SHA512

431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87
SSDEEP

6144:VdRRukv5qBwnX4kRdhogrMkgS1SuxRvT3b3KBaEt47A24/HGiovG:ikcpkHhR9Yu93O2An/H4G

Score

10^/10

trickbot banker packer trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

Processes:

resource	yara_rule
behavioral1/memory/2700-6-0x0000000000230000-0x0000000000267000-memory.dmp	templ_dll
behavioral1/memory/2700-10-0x0000000000270000-0x00000000002A6000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2700 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2700	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD000351-0A8A-11EF-92F7-4AE872E97954} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421039514"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2688 wermgr.exe
Token: SeDebugPrivilege 2688 wermgr.exe
Token: SeDebugPrivilege 2688 wermgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

772 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

772 iexplore.exe
772 iexplore.exe
2956 IEXPLORE.EXE
2956 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2688	wermgr.exe
Token: SeDebugPrivilege	2688	wermgr.exe
Token: SeDebugPrivilege	2688	wermgr.exe

pid	process
772	iexplore.exe

pid	process
772	iexplore.exe
772	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exeiexplore.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2868 wrote to memory of 1712	2868	WScript.exe	cmd.exe
PID 2868 wrote to memory of 1712	2868	WScript.exe	cmd.exe
PID 2868 wrote to memory of 1712	2868	WScript.exe	cmd.exe
PID 772 wrote to memory of 2956	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 2956	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 2956	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 2956	772	iexplore.exe	IEXPLORE.EXE
PID 2868 wrote to memory of 2600	2868	WScript.exe	certutil.exe
PID 2868 wrote to memory of 2600	2868	WScript.exe	certutil.exe
PID 2868 wrote to memory of 2600	2868	WScript.exe	certutil.exe
PID 2868 wrote to memory of 2668	2868	WScript.exe	regsvr32.exe
PID 2868 wrote to memory of 2668	2868	WScript.exe	regsvr32.exe
PID 2868 wrote to memory of 2668	2868	WScript.exe	regsvr32.exe
PID 2868 wrote to memory of 2668	2868	WScript.exe	regsvr32.exe
PID 2868 wrote to memory of 2668	2868	WScript.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2700	2668	regsvr32.exe	regsvr32.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe
PID 2700 wrote to memory of 2688	2700	regsvr32.exe	wermgr.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15810fb5f100a3a2d21e4c2288dc1a88_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
2⤵
PID:1712

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
2⤵
PID:2600

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\regsvr32.exe
c:\drad\ONKVD.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drad\ONKVD.dll
Filesize
608KB

MD5
faf55f62d1967375625d0e402c34ee0a

SHA1
02c8f9055c69a3386e7dbfd2eafad3beab3779fb

SHA256
c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e

SHA512
227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a71e85ca31d430812347c56b5dc9e5f

SHA1
f085756cccf252e5218079ebe54a3968dbb46398

SHA256
5029e1b52ad957a7b747deaba0f713e9d7ff47823086bd7f15b72b52df3485a1

SHA512
db1b8e3b929f33d07fabdba7d02a58747a4c36349e0cb04458182ec9b92d1dbf68c6caaf6dc4267c71bfd84d5ec2717aca9b6f4558fcf303e87f6480e334245c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
949ed7426e9cfdfbb8fdd9303ec0a828

SHA1
bf0870b46cf595067ffbdfb092c1b3c7feb5b755

SHA256
4eafd17d562af03f5872310a83fd4bbea842172dcd03c0ebdf85f2f147dac65b

SHA512
8a223fdfe0544df8d3364c4df5275150587ef18755a10df396a1983149a5ddadb46cfe3c7df8d545766d1db47a485050acf3c284ead44e0ce55090c921fe96ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
38c4c72610f2e87a631e97748cdc6890

SHA1
e9b406a4ea6944098b6e33df868506c585bf5a14

SHA256
68cf31ac63fce05bd5365b81b1706a5a82b6c5dd08570671d0b5bf58ddd5f6fb

SHA512
119c31b53536da70193dc05008e602d1de6bc4a391048ae7e95ed3a0359ab0ef015658b5e38ca839f051d5db1861d278f15efb1d608354a98d2322b034ab29e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1d27772b35c58a9f813ccf988b95ec4e

SHA1
0e4313be6d216422a4fdd8d51f099135cf0787f5

SHA256
d3b75b7414ce2f6f3d5c39aab0ac516cf74b4ab68476ebc5c16b26b47e32f365

SHA512
9ab83589ff914082f4dbd0b9892853e92712fc217a357d32e4ebf24f4e916adc83bbc3e756a2c63fd235ade85ebeb4e01e45b395a57bcf5b180abc8a151ff00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4dceb0b4da39cc0e90d77520cddc76a7

SHA1
fd0d8c1bb3a0b3e854e96c37353373858b95ad53

SHA256
5f50770627f1e0f16ec61cc8eabe29955f2d3266eaaf75dfea37c45287d9431f

SHA512
d15ad0bd6edc3c0d4bad3604e4a899b2ddd52aa1b53d28a36820537792c9f29856e723eb2e15dd63b7755d2bfd34a489042b19babe549bb838b5d7cb65623ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b54e6f6f471c8fcbae4ae65faf19b7c8

SHA1
3844ebdc1fb48de7287096ffa7a0746fa27e1aa7

SHA256
5b893fe1058d11be33776ac0812db731dd574a26f9f3aca6bcabdd9265ae8b5c

SHA512
c7228cacf6ed36e1acd9a8a796b35adde8acdec9771bae44877d0c06f503825509c2ea655d6c89abe6e0d0627d7c6787f12684fce13470406f7ab703e0f6f419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14162ee6084ad30c6d223ef4e03de997

SHA1
0ff7270a54f2273cca3c43b502850479691ae99a

SHA256
be8be688523022f25bb3e96405b0cff874bcd7ef1095084aade5cf7574a5146f

SHA512
32145b563ec8b23d797590e8bc39d8d5a9bd6f1e8496002fee198e48d93cb9775ceacff7c7e03534949568769480aa083e813e62fc8defc5b03c2c35c3d7b884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23dd70e5bc68af1cacfd2915f32b0e68

SHA1
4882944faa69092907d0173cd45c3c42b91814b1

SHA256
86ec4afc04132765146f5ca7a810b65a8330d992d9355830b65cb6b3f2701cef

SHA512
0048ea4ddca391967d02e33cb0dcef1cbe82746238f5b2f7affef7ec0865bce9f6cfd764cbbea208a2079c1ddd5af425051609feef639950bae29e72ba6cda04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6C4.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4A58DE377B3CBDB3.TMP
Filesize
16KB

MD5
b9b8064312bdb09ab98b7e5c004bc44c

SHA1
61fa3a1b5c3ebae06a48306053b5022cc6589e8a

SHA256
21a6eae2e6f21b4439a33d6f89d7db76046c4c952bb0c6f1c72578c3da0a8d31

SHA512
76a2801f2d71c81740fca0017e8f17475bfbeea190749593bdadef523142a5c0bfa6c6c2f151d5ab05c3d6b766e70a74b03b346f552240a8bd8711d0e5dd5a23

Download Submit
\??\c:\drad\ONKVD.dll
Filesize
304KB

MD5
0828f63b9396fead9231cae937694a37

SHA1
66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

SHA256
fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

SHA512
dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

Download Submit
memory/2688-15-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2700-6-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/2700-10-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2700-12-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2700-13-0x00000000027C0000-0x000000000291C000-memory.dmp

Filesize
1.4MB

Download
memory/2700-16-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download