trickbot | 473254189c42ed4d695ab7d15131b6a5b70f300de93ee34028364feecf51850c

General

Target

e9d808a162fe28e7c64e0acfe71b911d_JaffaCakes118.docm
Size

654KB
MD5

e9d808a162fe28e7c64e0acfe71b911d
SHA1

2b8dffacd54196e882bc29bfd1dace121b619dd7
SHA256

473254189c42ed4d695ab7d15131b6a5b70f300de93ee34028364feecf51850c
SHA512

2aa641f1f4c27d0b220a3f49e69a4b07f11c4c0cb5e0b05ef2279cfdaf9186b6a8f42c73cfaa410572620874d2ffa63acbe0f87a43c4f86c7480fa4a2d2ca9a1
SSDEEP

12288:aCldyxIA+zISba/LbjM8xFrztlSvnSucVM2V0aa3E0hfPr9dCeV:BxdbcbTxFrKnSucOpVV

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	956	2608	explorer.exe	81

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral2/memory/1080-94-0x0000000002D90000-0x0000000002DC8000-memory.dmp	templ_dll
behavioral2/memory/1080-98-0x0000000002E20000-0x0000000002E56000-memory.dmp	templ_dll

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 1 IoCs

pid	Process
1080	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	wermgr.exe
Token: SeDebugPrivilege	3548	wermgr.exe
Token: SeDebugPrivilege	3548	wermgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 956	2608	WINWORD.EXE	88
PID 2608 wrote to memory of 956	2608	WINWORD.EXE	88
PID 2484 wrote to memory of 528	2484	explorer.exe	90
PID 2484 wrote to memory of 528	2484	explorer.exe	90
PID 528 wrote to memory of 5096	528	WScript.exe	95
PID 528 wrote to memory of 5096	528	WScript.exe	95
PID 5096 wrote to memory of 1080	5096	regsvr32.exe	96
PID 5096 wrote to memory of 1080	5096	regsvr32.exe	96
PID 5096 wrote to memory of 1080	5096	regsvr32.exe	96
PID 1080 wrote to memory of 3548	1080	regsvr32.exe	97
PID 1080 wrote to memory of 3548	1080	regsvr32.exe	97
PID 1080 wrote to memory of 3548	1080	regsvr32.exe	97
PID 1080 wrote to memory of 3548	1080	regsvr32.exe	97

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d808a162fe28e7c64e0acfe71b911d_JaffaCakes118.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\explorer.exe
  explorer c:\programdata\objStreamUTF8NoBOM.Vbe
  2⤵
  - Process spawned unexpected child process
  PID:956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\objStreamUTF8NoBOM.Vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" c:\UTF8NoBOM\APSLVDFB.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\regsvr32.exe
      c:\UTF8NoBOM\APSLVDFB.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\objStreamUTF8NoBOM.Vbe

Filesize
576KB

MD5
376038e75a8172b752fd5a8c8b348136

SHA1
abd2bc47505d39978bcf5260d5ceff36b7be257a

SHA256
e680577626870fb45df77f29860518d904e175c91c045fdd3b9472f762a4073b

SHA512
35706189f1b373eb5ea0dccf48a80d576455d1799b1e738f2127baffdb1c79792de2b9160ca7953a68b79f34e528ad26bcb6dd16e74940c446aa5c518a2c2c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3E3E.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
5d50c27456e407d353bcc5e1f2e88252

SHA1
bc1241f1323a8eb4bccd99a9017aed946b2e49c8

SHA256
7ae821bfa0a9babc8a89c82ef0697bb686d90e65f310b18424f0072583735bec

SHA512
ae197a26223511c70e0eedc0a377809cc53ba3a5b4fe344006ebdb1195d0d4be94183d82b98ceafd3cadebefe4cbdc4f986ef6635ad491e3678920557a0b8dba

Download Submit
\??\c:\UTF8NoBOM\APSLVDFB.dll

Filesize
304KB

MD5
234efc055e93b433e41d555fb37736e1

SHA1
b9973c6a5fda7c1a8f50afa1e822346e2ce39dc7

SHA256
7fee0f3adb6bb5a3ed22ad960709a87893e2512d099f6c8c39946097d9a4122b

SHA512
0ead597e2702815c71e1c1a0d222e91d83301034cdad4c1109fab39370bde922748827f6e38cf9dbbd7d318615c73c0598b980b82df9267dee1c5721f9e7f1a4

Download Submit
memory/1080-255-0x0000000003010000-0x00000000030F3000-memory.dmp

Filesize
908KB

Download
memory/1080-102-0x0000000003010000-0x00000000030F3000-memory.dmp

Filesize
908KB

Download
memory/1080-98-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/1080-94-0x0000000002D90000-0x0000000002DC8000-memory.dmp

Filesize
224KB

Download
memory/2608-7-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-9-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-6-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-17-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-18-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-16-0x00007FFBC59F0000-0x00007FFBC5A00000-memory.dmp

Filesize
64KB

Download
memory/2608-15-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-14-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-13-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-12-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-11-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-19-0x00007FFBC59F0000-0x00007FFBC5A00000-memory.dmp

Filesize
64KB

Download
memory/2608-50-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-8-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-84-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-2-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-90-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-4-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-5-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-10-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-279-0x00007FFC07C30000-0x00007FFC07E25000-memory.dmp

Filesize
2.0MB

Download
memory/2608-1-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-0-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-3-0x00007FFC07CCD000-0x00007FFC07CCE000-memory.dmp

Filesize
4KB

Download
memory/2608-275-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-278-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-276-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/2608-277-0x00007FFBC7CB0000-0x00007FFBC7CC0000-memory.dmp

Filesize
64KB

Download
memory/3548-101-0x0000022B36780000-0x0000022B36781000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads