Analysis
-
max time kernel
136s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
26-08-2020 13:47
General
-
Target
Notification082520.doc
-
Size
285KB
-
MD5
f9cac6a43d460d5afc7428a1014a59af
-
SHA1
e7ae3fe9226a646711c7b31593e05368b4395d2a
-
SHA256
49a193afe2b75716f99338d1653dd321db5b0b4af3be050691605a861471be2e
-
SHA512
c12f18c7e4fee24fdcaf145178967295c5d11d6565590cc3f3db8fbf7d30432185651151156873142e52137ac50787d8d6f9d992ec4a149cbdf3a5926b59746d
Malware Config
Extracted
trickbot
1000513
chil103
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Templ.dll packer 4 IoCs
Detects Templ.dll packer which usually loads Trickbot.
-
Blacklisted process makes network request 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Notification082520.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe zipfldr.dll,RouteTheCall c:\syslogs\fa.vbs1⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\syslogs\fa.vbs"2⤵
- Blacklisted process makes network request
-
C:\Windows\system32\REGSVR32.exeREGSVR32 -s c:\syslogs\w_monitor.dll1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s c:\syslogs\w_monitor.dll2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\syslogs\fa.vbs
-
\??\c:\syslogs\w_monitor.dll
-
\syslogs\w_monitor.dll
-
memory/632-9-0x0000000000000000-mapping.dmp
-
memory/632-11-0x0000000003390000-0x00000000033BE000-memory.dmpFilesize
184KB
-
memory/632-12-0x0000000003400000-0x000000000342C000-memory.dmpFilesize
176KB
-
memory/900-13-0x0000000000000000-mapping.dmp
-
memory/3044-0-0x00007FFBC8230000-0x00007FFBC88F6000-memory.dmpFilesize
6.8MB
-
memory/3628-7-0x0000000000000000-mapping.dmp