trickbot | 4cac9f93754001e9a0b58e067beefa5ae738fcf1af0b3e75f0e4704e1cbc6982

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6.vbe
Size

636KB
MD5

15810fb5f100a3a2d21e4c2288dc1a88
SHA1

834308004280f11a459f764d9e2339c34dc5d7f1
SHA256

136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6
SHA512

431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87
SSDEEP

6144:VdRRukv5qBwnX4kRdhogrMkgS1SuxRvT3b3KBaEt47A24/HGiovG:ikcpkHhR9Yu93O2An/H4G

Score

10^/10

trickbot banker defense_evasion discovery packer trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral1/memory/2672-6-0x0000000000250000-0x0000000000287000-memory.dmp	templ_dll
behavioral1/memory/2672-9-0x0000000000290000-0x00000000002C6000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
2672	regsvr32.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2836	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{199E2E31-C25E-11EF-BDD1-5A85C185DB3E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441251358"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	wermgr.exe
Token: SeDebugPrivilege	2292	wermgr.exe
Token: SeDebugPrivilege	2292	wermgr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
560	iexplore.exe
560	iexplore.exe
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2920	2344	WScript.exe	31
PID 2344 wrote to memory of 2920	2344	WScript.exe	31
PID 2344 wrote to memory of 2920	2344	WScript.exe	31
PID 560 wrote to memory of 3004	560	iexplore.exe	34
PID 560 wrote to memory of 3004	560	iexplore.exe	34
PID 560 wrote to memory of 3004	560	iexplore.exe	34
PID 560 wrote to memory of 3004	560	iexplore.exe	34
PID 2344 wrote to memory of 2836	2344	WScript.exe	35
PID 2344 wrote to memory of 2836	2344	WScript.exe	35
PID 2344 wrote to memory of 2836	2344	WScript.exe	35
PID 2344 wrote to memory of 2388	2344	WScript.exe	37
PID 2344 wrote to memory of 2388	2344	WScript.exe	37
PID 2344 wrote to memory of 2388	2344	WScript.exe	37
PID 2344 wrote to memory of 2388	2344	WScript.exe	37
PID 2344 wrote to memory of 2388	2344	WScript.exe	37
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2388 wrote to memory of 2672	2388	regsvr32.exe	38
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39
PID 2672 wrote to memory of 2292	2672	regsvr32.exe	39

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
  2⤵
  PID:2920
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:2836
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\regsvr32.exe
    c:\drad\ONKVD.dll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drad\ONKVD.dll

Filesize
608KB

MD5
faf55f62d1967375625d0e402c34ee0a

SHA1
02c8f9055c69a3386e7dbfd2eafad3beab3779fb

SHA256
c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e

SHA512
227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13ea60355e492b4d812af342134e2a07

SHA1
b21a7bc48dfd6942495ad9161129b2a2bb7719db

SHA256
f717e864e332138b83d9dd7ecc95168079145d74fec6de825b750f80d5b0cdda

SHA512
8018fca713f162363626a8606f1884e5e84c4949f2f499f45c550377dcae3c695c429928792515e37f06293ea7df31ac85d5b929382360652b4b6b57fe475a0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5783ec1be6f201349ed739d6ea18066b

SHA1
4d90f85c2d92f7d216dc9b053cd8f2f3df9b2f61

SHA256
4008a8ead9cc9f46a0dfa1ea53c9e18d0e21bb1d52b9d31dcf8ee91debb4e6e5

SHA512
4e32d7f951b8ee9820213eff442dfd0b5a50b0ce5a7311fa88e0369d635a2d30b9d1a3c7ff3f87fea643e161f931083e63b78345d986e97e65326620361b79e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
067a1bc6068142ac287afd3412f21704

SHA1
3a600c732d596fe971505a986410326834ce86bb

SHA256
4d58bf9480bc44724e78a545a50e1a8693ca80ab4c91a9926ad452b73d429291

SHA512
d00c49bf475c12f86a292c7f01c7c71eb68a59e7b778193e49f66b41905d8053288870d4dd0368ef769472574fbd4475368715ad5fae8be7477c3af754a9a8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
598bca318bda90f00d782df541bc008d

SHA1
e3f388fa7ba0ccb4d1f4ae8d05ee800986e31aa5

SHA256
aabf20a65ddd35f6af4307e0f9acf8c7e9de8b548d19fdfb695c81a063f9e45b

SHA512
d98a98618cd96c6c885b2acc30b78c5197bc6e57a4738e77c4b63ffbcc7a622096eb10f8554639710d56b12035806672f2ed70dc70e8c27e6ce237395bb67dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f194117ad7acc7380f34daf7838a2e3

SHA1
27b7b94c215a6d8aef9414e047b05148f33da73a

SHA256
cba525f8234e810b8d231c7cb0297434f658642d64241385ae9f1ebb658315cf

SHA512
e19ea46573654bf737a88e8ef0ad57a1329fa477212dd0a87c7bb5240f85910136f7cb9614e3235740335ebd2cfa783c9a59967ce1b278d95cf744b742d5b3bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac99b797b02e8f5da46aac5a8a06a714

SHA1
b905b8f3bce8cf6965e51343e94a970a8105bd49

SHA256
bc4c6de6f9aa033d28cb074e04a65c25cf91ccc70cd842320e68f5b20cb9060b

SHA512
952b5a18ce4f848fb43d45b1f35e5242674321a3346c0a68f88451c6be7c4d26c3dac5cad388b34113b51ff03044246c3b2d21b79ef1b4ebb8195d04e01472e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56d9c69b5a1195852306389ca5861f97

SHA1
7252e60643ae3e7023a38accb54ba70eae4a3816

SHA256
0ff8680be055ae5381180eedf7c64b8bb541fd617561e3282585546167516bac

SHA512
d0fc92f3a935ee10e71838e51ef328e94c45dde3bf3ed16ed6a7d94b73ab39c6fb582b7a4a7f03ed33d11df2f14978bfcbbcc2c967081fb42bdf62b496dc3fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fa36e7c5ea13178edc899b8efa33ad9

SHA1
8369e8bbc8e99f9f16e75bffcda14f8e535897cd

SHA256
5473f8bfe7a29f80b245b1e391efed05b5fb57a88ce645fb24a71c971d5b115a

SHA512
b6cb0abd9ae7b332bce57e1b6bb4c5b81a75e98d7820ddfd717021dfe6cae392868e929d74aa0522899a24e025a85192314a6a604b42740961a8993302a88c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
412168d96bfbc2d49b85d348c88b06a4

SHA1
8b743a9fda425f4bd6349c7a75353d741ec7de62

SHA256
3fa3b0c87c1c9c5415bc6cc43aee7009ac9bccbcf86d785968f19f001a6a6b3a

SHA512
3fbb0950a79b4a1e669d3ce198e174ec486daef0d59a97c1dff8739bed5f4f7ef8fd0a7f65ac107e68de1836767ca7055c01a9982930653c82be67246fb54d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00c5e14070cd5dd774171c145036e1c8

SHA1
cbadb251f1b1e591c4266dae78c9c20f345fde0a

SHA256
b79de8b3cd0de33346c1e75b799cdfd950bae558df7dc8cbee07ed637b169153

SHA512
39404f2cf0ef1d429dcdf8397222fffb7e5215b3a5ed76fc52f07fa73ad32b98651c94821b62b27f17aa43d632756f960f848d4f61bbda689152ad5539d0636f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed5124965462ff0d72e4615d56164c3

SHA1
1b0a39fb2d404269eaef8dcbbce9788ce0428aa8

SHA256
a50191fe84819677bd1c8be77d7c5361e73de0e462bb1c9c67b8a7a223734563

SHA512
594b52685285d74a78630bc92e656c44edcbd75fc4f3b923da444c177c5ce042b2835024046ceb04278c2a8788dcfd1894c6d305becceb2c0acbfe474423260f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE64A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE6CB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF355DB77E4499E08E.TMP

Filesize
16KB

MD5
3bdba93f24f48ddeed1f8dd6b7b284b7

SHA1
d9b801045b6c7831ba62c0999fe39a401e2d8efa

SHA256
a6ddc5ceeaf06b236c75c4db97a2827ffa02c6ffdc107584b9bedc115e7254fe

SHA512
620a8666efc2889deca937e7f16f1ba6f88e127feef1275039d829681acd74f9e001a06969263432851a94cf470addf729a160e31675b9dac5fd7c601ebd615f

Download Submit
\??\c:\drad\ONKVD.dll

Filesize
304KB

MD5
0828f63b9396fead9231cae937694a37

SHA1
66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

SHA256
fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

SHA512
dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

Download Submit
memory/2292-15-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2672-16-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2672-13-0x0000000002860000-0x00000000029BC000-memory.dmp

Filesize
1.4MB

Download
memory/2672-12-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2672-9-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2672-6-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download