trickbot | 4e988f47cc21b69536d5f7d6b824a0e9890a2d65eeafc139d3f980555bdc5e4f

General

Target

attendees.xlsm
Size

535KB
MD5

b556307e1e6462a9aea5dc1f76667d10
SHA1

e3525ffd85d51a0a502012492ed1ef54d22eec88
SHA256

804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19
SHA512

51666a80ae3ae2ba69954f47e36521ce08cece8dd258498a7cf88e6c2586fa9a66776c78d68538bca5568965ebca87e9d04ce79db2c2388716ab73182af7164b
SSDEEP

12288:E9ijex0VbLbGeH+59SjrPImbT4XXO8RGNQpRtL8PZY4krmStNpc:E9fKVbLte52rPImbCjGWpj8BYVmSt/c

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4736	4156	tar.exe	86
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3572	4156	rundll32.exe	86

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral2/memory/2996-57-0x0000000002280000-0x00000000022B9000-memory.dmp	templ_dll
behavioral2/memory/2996-60-0x00000000024C0000-0x00000000024F7000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
2996	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4156	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5532	wermgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE
4156	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 4736	4156	EXCEL.EXE	90
PID 4156 wrote to memory of 4736	4156	EXCEL.EXE	90
PID 4156 wrote to memory of 3572	4156	EXCEL.EXE	97
PID 4156 wrote to memory of 3572	4156	EXCEL.EXE	97
PID 3572 wrote to memory of 2996	3572	rundll32.exe	98
PID 3572 wrote to memory of 2996	3572	rundll32.exe	98
PID 3572 wrote to memory of 2996	3572	rundll32.exe	98
PID 2996 wrote to memory of 5532	2996	rundll32.exe	100
PID 2996 wrote to memory of 5532	2996	rundll32.exe	100
PID 2996 wrote to memory of 5532	2996	rundll32.exe	100
PID 2996 wrote to memory of 5532	2996	rundll32.exe	100

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:4736
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
33f52cc849dbcf8c00b6d8a85a3a3877

SHA1
7c9b26553172f144122f71b8e85828ccab5dba56

SHA256
fef20e9c8f637d528a96e011477e258a4a2209f5f05da46df8eb57cf2cba8ab0

SHA512
500b3390f4d4334689fa7e7641dfaa3d1f9d28a320f1369b71ece7611af0c80037a95e8736cb8c7d1c0cd7ec524ce2df6cf304586de68a11097e6d335f95ecea

Download Submit
C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
e8e77bb34f44a71e79f711c321099bc1

SHA1
f15ee793a7a0136215b571d827b8488d2795ae46

SHA256
b1bb2db67f7899cce912342bf3e1dad24806ff0cc3d7c6a716852363d264d9ec

SHA512
8a96523f216b040b03f784c041dddfd90cfdc790e610bf899988f813139487127937fa039de7b5d8e4820d41fe5378ade4f6405c9804c44bb03ae6e51ef32b0e

Download Submit
C:\Users\Admin\xl\media\image2.bmp

Filesize
496KB

MD5
814071ec92b0429d274082e3993aa5af

SHA1
0f191570dcbecda0c18c48eac960c0def6779e2f

SHA256
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

SHA512
a6b4013630655a6754b59e0cdb76d85a3a165bc8506ce55fd4aef99bf1790e7abc9dfa071dcd7ce0fcf528a9a483ff91f14fa7f8d80048a4e41c4c9f2d38cf68

Download Submit
memory/2996-66-0x0000000002500000-0x0000000002543000-memory.dmp

Filesize
268KB

Download
memory/2996-63-0x0000000002500000-0x0000000002543000-memory.dmp

Filesize
268KB

Download
memory/2996-60-0x00000000024C0000-0x00000000024F7000-memory.dmp

Filesize
220KB

Download
memory/2996-57-0x0000000002280000-0x00000000022B9000-memory.dmp

Filesize
228KB

Download
memory/4156-11-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-9-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-15-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-16-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-17-0x00007FFF0F530000-0x00007FFF0F540000-memory.dmp

Filesize
64KB

Download
memory/4156-18-0x00007FFF0F530000-0x00007FFF0F540000-memory.dmp

Filesize
64KB

Download
memory/4156-14-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-19-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-13-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-12-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-10-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-8-0x00007FFF11590000-0x00007FFF115A0000-memory.dmp

Filesize
64KB

Download
memory/4156-4-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-3-0x00007FFF11590000-0x00007FFF115A0000-memory.dmp

Filesize
64KB

Download
memory/4156-7-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-5-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-1-0x00007FFF515AD000-0x00007FFF515AE000-memory.dmp

Filesize
4KB

Download
memory/4156-6-0x00007FFF11590000-0x00007FFF115A0000-memory.dmp

Filesize
64KB

Download
memory/4156-2-0x00007FFF11590000-0x00007FFF115A0000-memory.dmp

Filesize
64KB

Download
memory/4156-65-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-0-0x00007FFF11590000-0x00007FFF115A0000-memory.dmp

Filesize
64KB

Download
memory/4156-67-0x00007FFF515AD000-0x00007FFF515AE000-memory.dmp

Filesize
4KB

Download
memory/4156-68-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/4156-69-0x00007FFF51510000-0x00007FFF51705000-memory.dmp

Filesize
2.0MB

Download
memory/5532-64-0x0000027083E60000-0x0000027083E61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads