Resubmissions

17-09-2020 00:03

200917-atnm7rl5tj 10

16-09-2020 21:31

200916-w52vg1yl1a 10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    16-09-2020 21:31

General

  • Target

    131.doc

  • Size

    534KB

  • MD5

    3e241f5a1e7be77f25078560c8660351

  • SHA1

    ba25c371e75d1a52c1f41c163dc8840626423948

  • SHA256

    22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1

  • SHA512

    4f031f6a3e44687ca65ceec847aacf3053feec0882bd5c07febef85ba1a7570ec1f4357446dfc84226448e1d8eb342066eeb3e6e7394d53caadd66223a2ff345

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449

Attributes
autorun
Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Loads dropped DLL ⋅ 1 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service ⋅ 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry ⋅ 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings ⋅ 1 TTPs 39 IoCs
  • Suspicious behavior: AddClipboardFormatListener ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 19 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:1064
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"
    Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
      PID:1348
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
      PID:2456
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
      Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\drad\ONKVD.dll
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          Suspicious use of AdjustPrivilegeToken
          PID:2716
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82945 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2180

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads

                  • C:\Drad\ONKVD.dll
                  • C:\ProgramData\openssl.vbe
                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OSIMJSAC.cookie
                  • \??\c:\drad\ONKVD.dll
                  • \Drad\ONKVD.dll
                  • memory/1064-5-0x000001E491050000-0x000001E491094000-memory.dmp
                  • memory/1064-3-0x000001E489D74000-0x000001E489DAD000-memory.dmp
                  • memory/1064-6-0x000001E491050000-0x000001E491094000-memory.dmp
                  • memory/1064-0-0x00007FFEF8AE0000-0x00007FFEF91A6000-memory.dmp
                  • memory/1064-4-0x000001E491050000-0x000001E491094000-memory.dmp
                  • memory/1064-1-0x000001E489D74000-0x000001E489DAD000-memory.dmp
                  • memory/1064-2-0x000001E491050000-0x000001E491094000-memory.dmp
                  • memory/1348-10-0x0000000000000000-mapping.dmp
                  • memory/1440-14-0x0000000000000000-mapping.dmp
                  • memory/2180-11-0x0000000000000000-mapping.dmp
                  • memory/2456-12-0x0000000000000000-mapping.dmp
                  • memory/2716-20-0x0000000000000000-mapping.dmp
                  • memory/3212-16-0x0000000000000000-mapping.dmp
                  • memory/3212-19-0x0000000000A20000-0x0000000000A56000-memory.dmp
                  • memory/3212-18-0x00000000009E0000-0x0000000000A17000-memory.dmp