Detecting Trickbot with Splunk
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Inject Payload Inter-Process Communication - T1559 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Rundll32 - T1218.011 Scheduled Task - T1053.005 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Account Discovery - T1087 Powershell - T1086 Process Injection - T1055 Rundll32 - T1085 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID b6eb9d23-3c8d-44a3-a972-74589b861fc0
Fingerprint 2481811104e6a7c2
Analysis status DONE
Considered CTI value 2
Text language
Published July 21, 2021, 12:12 p.m.
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline Detecting Trickbot with Splunk
Title Detecting Trickbot with Splunk
Detected Hints/Tags/Attributes 65/3/16
Source URLs
Redirection Url
Details Source https://www.splunk.com/en_us/blog/security/detecting-trickbots.html
URL Provider
Details Provider Source level domain
Details splunk.com www.splunk.com
Attributes
Details Type #Events CTI Value
Details CVE 126 
cve-2017-0144
Details File 51 
wermgr.exe
Details File 37 
1.dll
Details File 2 
wormdll64.dll
Details File 2 
systeminfo64.dll
Details File 2 
sharedll64.dll
Details File 1 
psinf64.dll
Details File 2 
networkdll64.dll
Details File 1 
injdll64.dll
Details File 3 
payload32.dll
Details File 1018 
rundll32.exe
Details sha256 1 
5c9f626665a5f6e91599df85f3a1ae07258b9c3b8fc72eff56082ce9cb2c4394
Details sha256 1 
74e9d233177ca996df3eeda88af9ff2d7f87bace0726b0516ecf3be7dcb59f71
Details sha256 1 
01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5
Details sha256 1 
ed03ded8aabe6685d536c26d55e9685a05e6e148c4c5b56b73faa5d81c9c083a
Details Mandiant Uncategorized Groups 27 
UNC1878