trickbot | 473254189c42ed4d695ab7d15131b6a5b70f300de93ee34028364feecf51850c

Analysis

max time kernel
131s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9d808a162fe28e7c64e0acfe71b911d_JaffaCakes118.docm
Size

654KB
MD5

e9d808a162fe28e7c64e0acfe71b911d
SHA1

2b8dffacd54196e882bc29bfd1dace121b619dd7
SHA256

473254189c42ed4d695ab7d15131b6a5b70f300de93ee34028364feecf51850c
SHA512

2aa641f1f4c27d0b220a3f49e69a4b07f11c4c0cb5e0b05ef2279cfdaf9186b6a8f42c73cfaa410572620874d2ffa63acbe0f87a43c4f86c7480fa4a2d2ca9a1
SSDEEP

12288:aCldyxIA+zISba/LbjM8xFrztlSvnSucVM2V0aa3E0hfPr9dCeV:BxdbcbTxFrKnSucOpVV

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1528	2948	explorer.exe	27

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

Processes:

resource	yara_rule
behavioral1/memory/264-55-0x00000000006B0000-0x00000000006E8000-memory.dmp	templ_dll
behavioral1/memory/264-59-0x0000000001F10000-0x0000000001F46000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
264	regsvr32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeWINWORD.EXEexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2948	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description	pid	Process
Token: SeDebugPrivilege	620	wermgr.exe
Token: SeDebugPrivilege	620	wermgr.exe
Token: SeDebugPrivilege	620	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2948	WINWORD.EXE
2948	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

WINWORD.EXEexplorer.exeWScript.exeregsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 2948 wrote to memory of 1528	2948	WINWORD.EXE	28
PID 2948 wrote to memory of 1528	2948	WINWORD.EXE	28
PID 2948 wrote to memory of 1528	2948	WINWORD.EXE	28
PID 2948 wrote to memory of 1528	2948	WINWORD.EXE	28
PID 2212 wrote to memory of 2632	2212	explorer.exe	31
PID 2212 wrote to memory of 2632	2212	explorer.exe	31
PID 2212 wrote to memory of 2632	2212	explorer.exe	31
PID 2948 wrote to memory of 2704	2948	WINWORD.EXE	32
PID 2948 wrote to memory of 2704	2948	WINWORD.EXE	32
PID 2948 wrote to memory of 2704	2948	WINWORD.EXE	32
PID 2948 wrote to memory of 2704	2948	WINWORD.EXE	32
PID 2632 wrote to memory of 808	2632	WScript.exe	36
PID 2632 wrote to memory of 808	2632	WScript.exe	36
PID 2632 wrote to memory of 808	2632	WScript.exe	36
PID 2632 wrote to memory of 808	2632	WScript.exe	36
PID 2632 wrote to memory of 808	2632	WScript.exe	36
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 808 wrote to memory of 264	808	regsvr32.exe	37
PID 264 wrote to memory of 620	264	regsvr32.exe	38
PID 264 wrote to memory of 620	264	regsvr32.exe	38
PID 264 wrote to memory of 620	264	regsvr32.exe	38
PID 264 wrote to memory of 620	264	regsvr32.exe	38
PID 264 wrote to memory of 620	264	regsvr32.exe	38
PID 264 wrote to memory of 620	264	regsvr32.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d808a162fe28e7c64e0acfe71b911d_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\explorer.exe
  explorer c:\programdata\objStreamUTF8NoBOM.Vbe
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\objStreamUTF8NoBOM.Vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" c:\UTF8NoBOM\APSLVDFB.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\regsvr32.exe
      c:\UTF8NoBOM\APSLVDFB.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\objStreamUTF8NoBOM.Vbe

Filesize
576KB

MD5
376038e75a8172b752fd5a8c8b348136

SHA1
abd2bc47505d39978bcf5260d5ceff36b7be257a

SHA256
e680577626870fb45df77f29860518d904e175c91c045fdd3b9472f762a4073b

SHA512
35706189f1b373eb5ea0dccf48a80d576455d1799b1e738f2127baffdb1c79792de2b9160ca7953a68b79f34e528ad26bcb6dd16e74940c446aa5c518a2c2c26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d57b4444aef076736b13618fe305b32

SHA1
5c5f4599053e994628db5b48ab4867dc63099a90

SHA256
7751055a2684279efc7ff4a9b6b6687413c026d11d193515817b28330bc5a3a6

SHA512
a258d6486b20ef67c0ca053289fb55f842f861f548f99f47d73bbf03d6bdda91ddf7c17c34dd0e0a441116251010827b0eebb9d6bef3aabfafdf23d07cbba7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4F8E1FAB-B505-4681-B7E6-2780010B88FC}.tmp

Filesize
1.4MB

MD5
5dbedbbca7b7c344de6eced11d6399f3

SHA1
71cb690d9797440e7d8a1423cc4822d811feb148

SHA256
11c5680df718441a98cf798211cec005c247160f750f8c819371db85a1512801

SHA512
4a2270c87c0c616155a9ab351dc3f7a0494d992ccca13044ce39ca249fa0a2e3c14461791f25c649d1a718ef1e7aa0fe3a6293391d7820bafd3c7a2d2e65a19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BD52FFE-EDBD-4960-8D5E-C693A4B5BBF8}.tmp

Filesize
1024B

MD5
7160764d34e82b51f2e1ac85a72c5431

SHA1
ef72dad0043f0052ce3122ad0e86233b7ad19fee

SHA256
fda0079558ec250289bed8ff1440391b5ff4f3c6bca7eca292849dd98f880acf

SHA512
361fb1ee403b8d5f70b78e7d5d075be8d4acd287d84f1459abdeec257f34276b676a7eaaa819ec5bc61926a1f976349cad55c7d964d773300920793cc2e1c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FA8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FCA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
975e99183578ed901fcb4b165c9578a1

SHA1
2d9c95e863eab340cff3fd4815f445b8ed929ba7

SHA256
28c7f14ac5802b494a05e64d742f619ab54c8bc8c1b86e9c5946a679804b7f04

SHA512
330afd91df9a664afa7bbe021b9358c40e654055a0c2f77a63a05a46602eea861a6b470442b3e003783d1bb42364e5651d452949179386c095fd63d6e9e06f18

Download Submit
\??\c:\UTF8NoBOM\APSLVDFB.dll

Filesize
304KB

MD5
234efc055e93b433e41d555fb37736e1

SHA1
b9973c6a5fda7c1a8f50afa1e822346e2ce39dc7

SHA256
7fee0f3adb6bb5a3ed22ad960709a87893e2512d099f6c8c39946097d9a4122b

SHA512
0ead597e2702815c71e1c1a0d222e91d83301034cdad4c1109fab39370bde922748827f6e38cf9dbbd7d318615c73c0598b980b82df9267dee1c5721f9e7f1a4

Download Submit
memory/264-62-0x0000000002A40000-0x0000000002B9C000-memory.dmp

Filesize
1.4MB

Download
memory/264-59-0x0000000001F10000-0x0000000001F46000-memory.dmp

Filesize
216KB

Download
memory/264-55-0x00000000006B0000-0x00000000006E8000-memory.dmp

Filesize
224KB

Download
memory/620-64-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-33-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-6-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-21-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-22-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-23-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-24-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-17-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-20-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-25-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-19-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-18-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-27-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-28-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-32-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-34-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-38-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-37-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-35-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-0-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-29-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-8-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-36-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-49-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2948-50-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-51-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-9-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-10-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-11-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-12-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-13-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-14-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-15-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-16-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-5-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2948-2-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2948-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2948-179-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2948-180-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download