trickbot | 4e988f47cc21b69536d5f7d6b824a0e9890a2d65eeafc139d3f980555bdc5e4f

General

Target

attendees.xlsm
Size

535KB
MD5

b556307e1e6462a9aea5dc1f76667d10
SHA1

e3525ffd85d51a0a502012492ed1ef54d22eec88
SHA256

804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19
SHA512

51666a80ae3ae2ba69954f47e36521ce08cece8dd258498a7cf88e6c2586fa9a66776c78d68538bca5568965ebca87e9d04ce79db2c2388716ab73182af7164b
SSDEEP

12288:E9ijex0VbLbGeH+59SjrPImbT4XXO8RGNQpRtL8PZY4krmStNpc:E9fKVbLte52rPImbCjGWpj8BYVmSt/c

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4044	2244	tar.exe	76
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	996	2244	rundll32.exe	76

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral3/memory/3168-57-0x00000000030F0000-0x0000000003129000-memory.dmp	templ_dll
behavioral3/memory/3168-60-0x0000000003130000-0x0000000003167000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
3168	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2244	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	wermgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2244	EXCEL.EXE
2244	EXCEL.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE
2244	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4044	2244	EXCEL.EXE	78
PID 2244 wrote to memory of 4044	2244	EXCEL.EXE	78
PID 2244 wrote to memory of 996	2244	EXCEL.EXE	80
PID 2244 wrote to memory of 996	2244	EXCEL.EXE	80
PID 996 wrote to memory of 3168	996	rundll32.exe	81
PID 996 wrote to memory of 3168	996	rundll32.exe	81
PID 996 wrote to memory of 3168	996	rundll32.exe	81
PID 3168 wrote to memory of 3788	3168	rundll32.exe	82
PID 3168 wrote to memory of 3788	3168	rundll32.exe	82
PID 3168 wrote to memory of 3788	3168	rundll32.exe	82
PID 3168 wrote to memory of 3788	3168	rundll32.exe	82

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:4044
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3788

Network

DNS

roaming.officeapps.live.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

roaming.officeapps.live.com

IN A

Response

roaming.officeapps.live.com

IN CNAME

prod.roaming1.live.com.akadns.net

prod.roaming1.live.com.akadns.net

IN CNAME

eur.roaming1.live.com.akadns.net

eur.roaming1.live.com.akadns.net

IN CNAME

neu-azsc-000.roaming.officeapps.live.com

neu-azsc-000.roaming.officeapps.live.com

IN CNAME

osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com

osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com

IN A

52.109.76.243
DNS

ctldl.windowsupdate.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

240.76.109.52.in-addr.arpa

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

240.76.109.52.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

11.173.189.20.in-addr.arpa

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

11.173.189.20.in-addr.arpa

IN PTR

Response
POST

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

EXCEL.EXE

Remote address:

52.109.76.243:443

Request

POST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_361
X-OfficeVersion: 16.0.18510.30576
X-OfficeCluster: neu-000.roaming.officeapps.live.com
Content-Security-Policy-Report-Only: script-src 'nonce-RhIxcwKWDWlL5kdSBEiJHhXiegBvwug4kTqY3aY2iBHdaJQsZoQEcZPEO63WD0l4kJ2nDjB+DtrUcnO2iDrMnPYIlmprkaymg4SZ8kqMCQgW7fA2hg3mC0Mt5EfhBvZ5nbUntAUzVocIqU2vHnruUlxTB2Lk5IQDn5YaZI8l8XQ=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
X-Frame-Options: Deny
X-CorrelationId: da8efc87-ca33-44a4-8c01-f347aefffce5
X-Powered-By: ASP.NET
Date: Mon, 20 Jan 2025 21:37:01 GMT
Content-Length: 654
DNS

243.76.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

243.76.109.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

52.109.76.243:443

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

tls, http

EXCEL.EXE

1.8kB
8.3kB
12
11

HTTP Request

POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

HTTP Response

200
103.124.173.35:443

wermgr.exe

208 B
4

8.8.8.8:53

roaming.officeapps.live.com

dns

EXCEL.EXE

357 B
924 B
5
5

DNS Request

roaming.officeapps.live.com

DNS Response

52.109.76.243

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

240.76.109.52.in-addr.arpa

DNS Request

5.114.82.104.in-addr.arpa

DNS Request

11.173.189.20.in-addr.arpa
8.8.8.8:53

243.76.109.52.in-addr.arpa

dns

146 B
274 B
2
2

DNS Request

243.76.109.52.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
74a72c04b1e914bfd218055742cebd4c

SHA1
7859d04712c53fdb7d2d434935dd38d52d52c6fc

SHA256
53dee1fd89e04671eb5d89a0f1c8c7ed9b4bbc22a4563e26b1484be894c6cf57

SHA512
58b4344c4da4fa972b2a20197cfff4333ea720e8720e5a56a40770eb20f44e8985d88fc00d66ba0b3db4ceecb61ba9eed1f6bce9526b66016580c9eb2da43b12

Download Submit
C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
7a6c91d26a7d86f949b5618ad4cd1945

SHA1
0e1329870ea5b53592de4dd2b9c6ceee9949ab31

SHA256
29887aceccb58ad4686fe1db46d29cbe3baddb7c2e7f9e85b5fc8ded34afa570

SHA512
cfc09381f9939867394da713aab1fe4827de3c9739957f9ecc205538d8d6f7a9d33fd37ace89e700639c483bb9bcf087fa4e10de718012afce11f601315a51e9

Download Submit
C:\Users\Admin\xl\media\image2.bmp

Filesize
496KB

MD5
814071ec92b0429d274082e3993aa5af

SHA1
0f191570dcbecda0c18c48eac960c0def6779e2f

SHA256
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

SHA512
a6b4013630655a6754b59e0cdb76d85a3a165bc8506ce55fd4aef99bf1790e7abc9dfa071dcd7ce0fcf528a9a483ff91f14fa7f8d80048a4e41c4c9f2d38cf68

Download Submit
memory/2244-9-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-15-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-1-0x00007FF9CBB30000-0x00007FF9CBB40000-memory.dmp

Filesize
64KB

Download
memory/2244-7-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-8-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-0-0x00007FF9CBB30000-0x00007FF9CBB40000-memory.dmp

Filesize
64KB

Download
memory/2244-11-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-10-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-12-0x00007FF9C97D0000-0x00007FF9C97E0000-memory.dmp

Filesize
64KB

Download
memory/2244-13-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-6-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-16-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-17-0x00007FF9C97D0000-0x00007FF9C97E0000-memory.dmp

Filesize
64KB

Download
memory/2244-19-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-5-0x00007FF9CBB30000-0x00007FF9CBB40000-memory.dmp

Filesize
64KB

Download
memory/2244-20-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-21-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-22-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-18-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-14-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-2-0x00007FF9CBB30000-0x00007FF9CBB40000-memory.dmp

Filesize
64KB

Download
memory/2244-4-0x00007FF9CBB30000-0x00007FF9CBB40000-memory.dmp

Filesize
64KB

Download
memory/2244-3-0x00007FFA0BB43000-0x00007FFA0BB44000-memory.dmp

Filesize
4KB

Download
memory/2244-68-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-67-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/2244-66-0x00007FFA0BAA0000-0x00007FFA0BCA9000-memory.dmp

Filesize
2.0MB

Download
memory/3168-65-0x0000000003390000-0x00000000033D3000-memory.dmp

Filesize
268KB

Download
memory/3168-63-0x0000000003390000-0x00000000033D3000-memory.dmp

Filesize
268KB

Download
memory/3168-60-0x0000000003130000-0x0000000003167000-memory.dmp

Filesize
220KB

Download
memory/3168-57-0x00000000030F0000-0x0000000003129000-memory.dmp

Filesize
228KB

Download
memory/3788-64-0x0000019CA6FE0000-0x0000019CA6FE1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.