Analysis
-
max time kernel
1745s -
max time network
1755s -
platform
windows7_x64 -
resource
win7 -
submitted
23-09-2020 14:42
Static task
static1
Behavioral task
behavioral1
Sample
boq_6_boq.doc
Resource
win7
Behavioral task
behavioral2
Sample
boq_6_boq.doc
Resource
win7v200722
General
-
Target
boq_6_boq.doc
-
Size
684KB
-
MD5
4913959946c7c8d9ff682439eb108928
-
SHA1
2e77f1b7c588d274bd998dc6dda422363cc6f9ba
-
SHA256
052c9196dfe764f1fbd3850d706d10601235dc266d1151c93d34454a12206c28
-
SHA512
b74c1b001c628bc762eda6d724b674b8951380d8eb1e94fdfc59852b67e851b8ca670905e565467431c5c8b0282fe5f6c9f4ba8f0ce41840530959c13ce1c595
Malware Config
Extracted
trickbot
1000513
ono76
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 332 1124 explorer.exe WINWORD.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 28 332 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1088 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ipecho.net -
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe -
Office loads VBA resources, possible macro or embedded object present
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1876 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cmd.execmd.exepid process 704 cmd.exe 332 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WINWORD.EXEwermgr.execmd.exedescription pid process Token: SeShutdownPrivilege 1124 WINWORD.EXE Token: SeDebugPrivilege 1592 wermgr.exe Token: SeDebugPrivilege 1592 wermgr.exe Token: SeDebugPrivilege 1592 wermgr.exe Token: SeDebugPrivilege 704 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE 1124 WINWORD.EXE -
Suspicious use of WriteProcessMemory 729 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.exeregsvr32.exeregsvr32.exewermgr.exedescription pid process target process PID 1124 wrote to memory of 332 1124 WINWORD.EXE explorer.exe PID 1124 wrote to memory of 332 1124 WINWORD.EXE explorer.exe PID 1124 wrote to memory of 332 1124 WINWORD.EXE explorer.exe PID 1664 wrote to memory of 308 1664 explorer.exe WScript.exe PID 1664 wrote to memory of 308 1664 explorer.exe WScript.exe PID 1664 wrote to memory of 308 1664 explorer.exe WScript.exe PID 308 wrote to memory of 1492 308 WScript.exe regsvr32.exe PID 308 wrote to memory of 1492 308 WScript.exe regsvr32.exe PID 308 wrote to memory of 1492 308 WScript.exe regsvr32.exe PID 308 wrote to memory of 1492 308 WScript.exe regsvr32.exe PID 308 wrote to memory of 1492 308 WScript.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1492 wrote to memory of 1088 1492 regsvr32.exe regsvr32.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1088 wrote to memory of 1592 1088 regsvr32.exe wermgr.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe PID 1592 wrote to memory of 704 1592 wermgr.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\boq_6_boq.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer c:\programdata\objStreamUTF8NoBOM.Vbe2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\objStreamUTF8NoBOM.Vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\UTF8NoBOM\APSLVDFB.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\UTF8NoBOM\APSLVDFB.dll4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe6⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ipconfig.exeipconfig /all7⤵
- Modifies service
- Gathers network information
-
C:\Windows\system32\net.exenet config workstation7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation8⤵
-
C:\Windows\system32\net.exenet view /all7⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all /domain7⤵
- Discovers systems in the same network
-
C:\Windows\system32\nltest.exenltest /domain_trusts7⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\objStreamUTF8NoBOM.Vbe
-
\??\c:\UTF8NoBOM\APSLVDFB.dll
-
\UTF8NoBOM\APSLVDFB.dll
-
memory/308-16-0x0000000002740000-0x0000000002744000-memory.dmpFilesize
16KB
-
memory/308-14-0x0000000000000000-mapping.dmp
-
memory/332-103-0x0000000000190000-0x0000000000190080-memory.dmpFilesize
128B
-
memory/332-68-0x0000000000190000-0x0000000000190080-memory.dmpFilesize
128B
-
memory/332-12-0x0000000000000000-mapping.dmp
-
memory/332-120-0x0000000000130000-0x000000000013000D-memory.dmpFilesize
13B
-
memory/332-118-0x0000000000160000-0x0000000000160188-memory.dmpFilesize
392B
-
memory/332-67-0x0000000180000000-0x0000000180016000-memory.dmpFilesize
88KB
-
memory/332-108-0x0000000000160000-0x0000000000160188-memory.dmpFilesize
392B
-
memory/332-71-0x0000000000130000-0x000000000013000D-memory.dmpFilesize
13B
-
memory/332-65-0x0000000180000000-0x0000000180016000-memory.dmpFilesize
88KB
-
memory/332-70-0x0000000000150000-0x0000000000150400-memory.dmpFilesize
1024B
-
memory/332-57-0x0000000000000000-mapping.dmp
-
memory/620-117-0x0000000000000000-mapping.dmp
-
memory/704-23-0x0000000000000000-mapping.dmp
-
memory/704-35-0x0000000001B70000-0x0000000001B71000-memory.dmpFilesize
4KB
-
memory/704-36-0x0000000000330000-0x0000000000330017-memory.dmpFilesize
23B
-
memory/1088-21-0x0000000001DB0000-0x0000000001DE6000-memory.dmpFilesize
216KB
-
memory/1088-20-0x0000000000780000-0x00000000007B8000-memory.dmpFilesize
224KB
-
memory/1088-18-0x0000000000000000-mapping.dmp
-
memory/1124-1-0x0000000007260000-0x000000000730C000-memory.dmpFilesize
688KB
-
memory/1124-11-0x00000000084C0000-0x00000000084D1000-memory.dmpFilesize
68KB
-
memory/1124-2-0x0000000006260000-0x0000000006264000-memory.dmpFilesize
16KB
-
memory/1124-0-0x0000000006260000-0x0000000006264000-memory.dmpFilesize
16KB
-
memory/1124-5-0x0000000006260000-0x0000000006264000-memory.dmpFilesize
16KB
-
memory/1124-8-0x00000000073E0000-0x00000000073E4000-memory.dmpFilesize
16KB
-
memory/1124-6-0x00000000073E0000-0x00000000073E4000-memory.dmpFilesize
16KB
-
memory/1492-15-0x0000000000000000-mapping.dmp
-
memory/1548-111-0x0000000000000000-mapping.dmp
-
memory/1592-22-0x0000000000000000-mapping.dmp
-
memory/1856-116-0x0000000000000000-mapping.dmp
-
memory/1876-109-0x0000000000000000-mapping.dmp
-
memory/1888-112-0x0000000000000000-mapping.dmp
-
memory/1956-114-0x0000000000000000-mapping.dmp
-
memory/1968-113-0x0000000000000000-mapping.dmp