Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
04-07-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
Document_Covid-19_7.xls
Resource
win7v200430
General
-
Target
Document_Covid-19_7.xls
-
Size
85KB
-
MD5
58b62b641066a1ea49e34a2f711a1854
-
SHA1
4bf1830ed130fe97e50807b1a4ba4749c8fefe75
-
SHA256
810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
-
SHA512
82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2
Malware Config
Extracted
trickbot
1000512
chil58
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3164 3684 rundll32.exe EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3740 wermgr.exe Token: SeDebugPrivilege 3740 wermgr.exe Token: SeDebugPrivilege 3740 wermgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 3684 wrote to memory of 3164 3684 EXCEL.EXE rundll32.exe PID 3684 wrote to memory of 3164 3684 EXCEL.EXE rundll32.exe PID 3164 wrote to memory of 3132 3164 rundll32.exe rundll32.exe PID 3164 wrote to memory of 3132 3164 rundll32.exe rundll32.exe PID 3164 wrote to memory of 3132 3164 rundll32.exe rundll32.exe PID 3132 wrote to memory of 3740 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 3740 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 3740 3132 rundll32.exe wermgr.exe PID 3132 wrote to memory of 3740 3132 rundll32.exe wermgr.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3132 rundll32.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/3132-4-0x00000000051B0000-0x00000000051DE000-memory.dmp templ_dll behavioral2/memory/3132-5-0x00000000051E0000-0x000000000520D000-memory.dmp templ_dll -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3684 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_Covid-19_7.xls"1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll,DllRegisterServer3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\eNNzmNj\wLrKvzZ\UQEZPGU.dll
-
\eNNzmNj\wLrKvzZ\UQEZPGU.dll
-
memory/3132-2-0x0000000000000000-mapping.dmp
-
memory/3132-4-0x00000000051B0000-0x00000000051DE000-memory.dmpFilesize
184KB
-
memory/3132-5-0x00000000051E0000-0x000000000520D000-memory.dmpFilesize
180KB
-
memory/3164-0-0x0000000000000000-mapping.dmp
-
memory/3740-6-0x0000000000000000-mapping.dmp