Trickbot Dynamic Analysis

Fabian Sybille • July 8, 2021
  1. Before doing anything, I'm going to use RegShot to take a snapshot of what the registry looks like on the host I'm going to infect with TrickBot. Later on, after I've infected the host, I'll run RegShot for a second time. Then we'll use the compare button in RegShot to compare the two records and it'll tell us what changes have taken place. I've opened RegShot, clicked 1st shot and followed the prompts.

  2. Start Process Explorer and Process Monitor

  3. Run TrickBot

  4. Immediately after running TrickBot.exe, it appears in the Process Explorer

5. After a few seconds to a minute, TrickBot disappears from Process Explorer.

6. Svchost appears in Process Explorer. We can assume that this Svchost process was launched my Trickbot. Trickbot is known to  use process hollowing. So it'll start Svchost in suspended mode. The code from Svchost will be loaded into memory. After that, TrickBot will copy the malicious code into the process, in this case Svchost, and then tell the process it can start executing. This way it's a normal program that's running malicious code. This is a mechanism that's used to keep TrickBot hidden. 

7. Stop Process Monitor.

8. Take the 2nd shot with RegShot.

9. Once the 2nd shot is complete, I clicked the Compare button in RegShot. This opens a text file that shows you all of the changes between the 1st and 2nd shots. The things that stood out to me immediately as suspicious were the keys and values that were added to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache. That location is used for Windows Scheduled Tasks. Scheduled Tasks can be used by malware to gain persistence on a system.

10. Scrolled down and saw the Files added section. It says C:\Windows\System32\Tasks\Ms Cloud Disk was added. I've never heard of that before but I know TrickBot names malicious files in a way to make them appear legitimate.

11. I went to that directory, to C:\Windows\System32\Tasks. This is where scheduled tasks are stored.

12. I opened the Ms Cloud Disk file. I see all of the scheduled task settings. Toward the bottom, I see the command C:\Users\Malcolm Mills\AppData\Roaming\MsCloud\Vticmbqt.exe. So this lets me know TrickBot dropped another executable onto the host, Vticmbqt.exe.

13. I opened Process Monitor next. There was over 300,00 events so I added the following filters:

  • Process Name is trickbot.exe
  • Operation is WriteFile - Anytime TrickBot wrote to a file
  • Operation is RegSetValue - Anytime TrickBot modified anything in the registry
  • Process Name is Vticmbqt.exe
  • Operation is SetDispositionInformationFile - This is the operation that's used when a file gets deleted or renamed.

I added the filters one by one and they never produced any results. 

14. Since there were no results from those filters, I tried one more:

  • Path ends with Vticmbqt.exe

15. This filter gave results. It shows svchost creating files and writing to the disk. This lets us know that svchost wrote the Vticmbqte.exe file to the disk and confirms that svchost is malicious and does the dirty work for TrickBot via the process hollowing technique I mentioned earlier.

Indicators of Compromise


Registry Keys added

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{7EBC0E0E-6363-4800-9DA2-F30ABBCA3FF0}
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7EBC0E0E-6363-4800-9DA2-F30ABBCA3FF0}
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MS Cloud Disk


Registry Values added

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7EBC0E0E-6363-4800-9DA2-F30ABBCA3FF0}\Path: "\Ms Cloud Disk"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MS Cloud Disk\ID: "{7EBC0E0E-6363-4800-9DA2-F30ABBCA3FF0}"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MS Cloud Disk\Index: 0x00000001


Files dropped

  • C:\Windows\System32\Tasks\Ms Cloud Disk
  • C:\Users\Malcolm Mills\AppData\Roaming\MSCloud\Vticmbqt.exe


These are the Artifacts you could look for on a host that would confirm the host is infected with TrickBot.


Social

Chase Walkthrough

By Fabian Sybille March 12, 2022
Scenario One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We've taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up? Analysis Immediately when looking at the pcap, we can see a TCP 3 way handshake taking place between 22.22.22.7 and 22.22.22.5 with the .7 address initiating it. The requests are also coming from the .7 address which tells us that the .5 address is the web server. We also see /upload.aspx. Aspx lets us know the server is likely running asp.net. So it's likely a windows server.

Pretium Walkthrough

By Fabian Sybille August 2, 2021
Scenario The Security Operations Center at Defense Superior are monitoring a customer’s email gateway and network traffic (Crimeson LLC). One of the SOC team identified some anomalous traffic from Josh Morrison’s workstation, who works as a Junior Financial Controller. When contacted Josh mentioned he received an email from an internal colleague asking him to download an invoice via a hyperlink and review it. The email read: There was a rate adjustment for one or more invoices you previously sent to one of our customers. The adjusted invoices can be downloaded via this [link] for your review and payment processing. If you have any questions about the adjustments, please contact me. Thank you. Jacob Tomlinson, Senior Financial Controller, Crimeson LLC. The SOC team immediately pulled the email and confirmed it included a link to a malicious executable file. The Security Incident Response Team (SIRT) was activated and you have been assigned to lead the way and help the SOC uncover what happened. You have NetWitness and Wireshark in your toolkit to help find out what happened during this incident. What is the full filename of the initial payload file? The scenario says the invoice was downloaded via a hyperlink. The first thing that came to mind was a GET request to the url attached to the hyperlink. GET requests are used when retrieving executables from URLs. So I opened the pcap in wireshark and filtered for GET requests.

Countdown Walkthrough

By Fabian Sybille July 14, 2021
Countdown is a Digital Forensics lab scenario by Blue Teal Labs Online. This is walkthrough of how I completed the lab.
Share by: