trickbot | 4e988f47cc21b69536d5f7d6b824a0e9890a2d65eeafc139d3f980555bdc5e4f

General

Target

attendees.xlsm
Size

535KB
MD5

b556307e1e6462a9aea5dc1f76667d10
SHA1

e3525ffd85d51a0a502012492ed1ef54d22eec88
SHA256

804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19
SHA512

51666a80ae3ae2ba69954f47e36521ce08cece8dd258498a7cf88e6c2586fa9a66776c78d68538bca5568965ebca87e9d04ce79db2c2388716ab73182af7164b
SSDEEP

12288:E9ijex0VbLbGeH+59SjrPImbT4XXO8RGNQpRtL8PZY4krmStNpc:E9fKVbLte52rPImbCjGWpj8BYVmSt/c

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4684	4376	tar.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3776	4376	rundll32.exe	81

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral2/memory/1688-59-0x0000000000C90000-0x0000000000CC9000-memory.dmp	templ_dll
behavioral2/memory/1688-63-0x0000000000EA0000-0x0000000000ED7000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
1688	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4376	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	wermgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4376	EXCEL.EXE
4376	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4684	4376	EXCEL.EXE	85
PID 4376 wrote to memory of 4684	4376	EXCEL.EXE	85
PID 4376 wrote to memory of 3776	4376	EXCEL.EXE	88
PID 4376 wrote to memory of 3776	4376	EXCEL.EXE	88
PID 3776 wrote to memory of 1688	3776	rundll32.exe	89
PID 3776 wrote to memory of 1688	3776	rundll32.exe	89
PID 3776 wrote to memory of 1688	3776	rundll32.exe	89
PID 1688 wrote to memory of 3252	1688	rundll32.exe	90
PID 1688 wrote to memory of 3252	1688	rundll32.exe	90
PID 1688 wrote to memory of 3252	1688	rundll32.exe	90
PID 1688 wrote to memory of 3252	1688	rundll32.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:4684
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
77df3c73e8df1619c17bcda5a8ba0d9b

SHA1
601a79f55bbc518f943ca209b961d5fc8d10491b

SHA256
e1befd0bb48f9981fee8758c49d533bfabc2117d267f19616f3cbb04c4a25bae

SHA512
543d785275366d9394587bf45e94b14c096c6690c8a614fa4065d717f6ab28b1e0a4aa24b70a2abf891a7a16557b56975ad7b196dc7d7baf1a5d64a8c925db44

Download Submit
C:\Users\Admin\xl\media\image2.bmp

Filesize
496KB

MD5
814071ec92b0429d274082e3993aa5af

SHA1
0f191570dcbecda0c18c48eac960c0def6779e2f

SHA256
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

SHA512
a6b4013630655a6754b59e0cdb76d85a3a165bc8506ce55fd4aef99bf1790e7abc9dfa071dcd7ce0fcf528a9a483ff91f14fa7f8d80048a4e41c4c9f2d38cf68

Download Submit
memory/1688-71-0x0000000002470000-0x00000000024B3000-memory.dmp

Filesize
268KB

Download
memory/1688-67-0x0000000002470000-0x00000000024B3000-memory.dmp

Filesize
268KB

Download
memory/1688-63-0x0000000000EA0000-0x0000000000ED7000-memory.dmp

Filesize
220KB

Download
memory/1688-59-0x0000000000C90000-0x0000000000CC9000-memory.dmp

Filesize
228KB

Download
memory/3252-68-0x000002A54B1F0000-0x000002A54B1F1000-memory.dmp

Filesize
4KB

Download
memory/4376-12-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-20-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-11-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-13-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

Filesize
64KB

Download
memory/4376-10-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-8-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-7-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-14-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

Filesize
64KB

Download
memory/4376-15-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-17-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-18-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-22-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-21-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-0-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/4376-19-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-16-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-9-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-6-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/4376-5-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-4-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/4376-66-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-2-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/4376-3-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/4376-69-0x00007FFF1486D000-0x00007FFF1486E000-memory.dmp

Filesize
4KB

Download
memory/4376-70-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/4376-1-0x00007FFF1486D000-0x00007FFF1486E000-memory.dmp

Filesize
4KB

Download
memory/4376-72-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads