Trickbot Malware Activity

 1title: Trickbot Malware Activity
 2id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
 3related:
 4    - id: c37510b8-2107-4b78-aa32-72f251e7a844
 5      type: similar
 6status: stable
 7description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
 8references:
 9    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
10    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
11author: Florian Roth (Nextron Systems)
12date: 2020/11/26
13modified: 2021/11/27
14tags:
15    - attack.execution
16    - attack.t1559
17    - detection.emerging_threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\wermgr.exe'
24        ParentImage|endswith: '\rundll32.exe'
25        ParentCommandLine|contains: 'DllRegisterServer'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Analysis sport.dll (MD5: F99ADAB7B2560097119077B99ACEB40D) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• Blue Mockingbird
• CVE-2021-1675 Print Spooler Exploitation
• DNS RCE CVE-2020-1350
• DarkSide Ransomware Pattern
• Elise Backdoor Activity