Trickbot Malware Activity

Aug 12, 2024 · attack.execution attack.t1559 detection.emerging-threats ·

Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"

Sigma rule (View on GitHub)

 1title: Trickbot Malware Activity
 2id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
 3related:
 4    - id: c37510b8-2107-4b78-aa32-72f251e7a844
 5      type: similar
 6status: stable
 7description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
 8references:
 9    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
10    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
11author: Florian Roth (Nextron Systems)
12date: 2020-11-26
13modified: 2021-11-27
14tags:
15    - attack.execution
16    - attack.t1559
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\wermgr.exe'
24        ParentImage|endswith: '\rundll32.exe'
25        ParentCommandLine|contains: 'DllRegisterServer'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

x.com

Read More
Analysis sport.dll (MD5: F99ADAB7B2560097119077B99ACEB40D) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Trickbot Malware Activity

Sigma rule (View on GitHub)

References

x.com

Analysis sport.dll (MD5: F99ADAB7B2560097119077B99ACEB40D) Malicious activity - Interactive analysis ANY.RUN

Related rules