Overview

overview

10

Static

static

300 seconds - Win. 10

windows10_x64

10

Resubmissions

17-09-2020 00:03

200917-atnm7rl5tj 10

16-09-2020 21:31

200916-w52vg1yl1a 10

Analysis

  • max time kernel
    266s
  • max time network
    302s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    17-09-2020 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    131.doc

  • Size

    534KB

  • MD5

    3e241f5a1e7be77f25078560c8660351

  • SHA1

    ba25c371e75d1a52c1f41c163dc8840626423948

  • SHA256

    22d653dab4765e13c5fce0bf46a28a098d05582148fdf3101093f3687b42a5f1

  • SHA512

    4f031f6a3e44687ca65ceec847aacf3053feec0882bd5c07febef85ba1a7570ec1f4357446dfc84226448e1d8eb342066eeb3e6e7394d53caadd66223a2ff345

Score
10/10
trojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4048
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3980
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\131.doc" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:208
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
        2⤵
          PID:4044
        • C:\Windows\System32\certutil.exe
          "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
          2⤵
            PID:3760
          • C:\Windows\System32\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\SysWOW64\regsvr32.exe
              c:\drad\ONKVD.dll
              3⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:804
              • C:\Windows\system32\wermgr.exe
                C:\Windows\system32\wermgr.exe
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1992
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1508
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82945 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1160

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Drad\ONKVD.dll
          Download Submit
        • C:\ProgramData\openssl.vbe
          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NJBYJG7J.cookie
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\.ses
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Download Submit
        • \??\c:\drad\ONKVD.dll
          Download Submit
        • \Drad\ONKVD.dll
          Download Submit
        • memory/208-9-0x0000014BED170000-0x0000014BED174000-memory.dmp
          Filesize

          16KB

          Download
        • memory/208-3-0x00007FFDCD1A0000-0x00007FFDCD866000-memory.dmp
          Filesize

          6.8MB

          Download
        • memory/804-31-0x0000000000910000-0x0000000000947000-memory.dmp
          Filesize

          220KB

          Download
        • memory/804-29-0x0000000000000000-mapping.dmp
          Download
        • memory/804-32-0x0000000000950000-0x0000000000986000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1160-24-0x0000000000000000-mapping.dmp
          Download
        • memory/1992-33-0x0000000000000000-mapping.dmp
          Download
        • memory/3748-27-0x0000000000000000-mapping.dmp
          Download
        • memory/3760-25-0x0000000000000000-mapping.dmp
          Download
        • memory/4044-23-0x0000000000000000-mapping.dmp
          Download
        • memory/4048-0-0x00007FFDCD1A0000-0x00007FFDCD866000-memory.dmp
          Filesize

          6.8MB

          Download
        • memory/4048-2-0x00007FFDCEC00000-0x00007FFDD1763000-memory.dmp
          Filesize

          43.4MB

          Download
        • memory/4048-1-0x00007FFDCEC00000-0x00007FFDD1763000-memory.dmp
          Filesize

          43.4MB

          Download