Overview

overview

10

Static

static

8

Notificati...20.doc

windows7_x64

10

Notificati...20.doc

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    26-08-2020 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notification082520.doc

  • Size

    285KB

  • MD5

    f9cac6a43d460d5afc7428a1014a59af

  • SHA1

    e7ae3fe9226a646711c7b31593e05368b4395d2a

  • SHA256

    49a193afe2b75716f99338d1653dd321db5b0b4af3be050691605a861471be2e

  • SHA512

    c12f18c7e4fee24fdcaf145178967295c5d11d6565590cc3f3db8fbf7d30432185651151156873142e52137ac50787d8d6f9d992ec4a149cbdf3a5926b59746d

Score
10/10
trojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000513

Botnet

chil103

C2

51.89.177.20:443

194.5.249.174:443

107.174.196.242:443

185.205.209.241:443

82.146.46.220:443

5.34.178.126:443

212.22.70.65:443

195.123.241.90:443

185.164.32.214:443

198.46.198.139:443

195.123.241.187:443

86.104.194.116:443

195.123.240.252:443

185.164.32.215:443

45.148.120.195:443

45.138.158.32:443

5.149.253.99:443

92.62.65.163:449

88.247.212.56:449

180.211.170.214:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 4 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

  • Blacklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Notification082520.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3044
  • C:\Windows\system32\rundll32.exe
    rundll32.exe zipfldr.dll,RouteTheCall c:\syslogs\fa.vbs
    1⤵
    • Process spawned unexpected child process
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\syslogs\fa.vbs"
      2⤵
      • Blacklisted process makes network request
      PID:3628
  • C:\Windows\system32\REGSVR32.exe
    REGSVR32 -s c:\syslogs\w_monitor.dll
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\SysWOW64\regsvr32.exe
      -s c:\syslogs\w_monitor.dll
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/632-11-0x0000000003390000-0x00000000033BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/632-12-0x0000000003400000-0x000000000342C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3044-0-0x00007FFBC8230000-0x00007FFBC88F6000-memory.dmp

    Filesize

    6.8MB

    Download