Overview

overview

10

Static

static

8

asdodnj1119505.doc

windows7_x64

10

asdodnj1119505.doc

windows10_x64

1

Resubmissions

07-10-2020 05:38

201007-meaceze37e 10

07-10-2020 05:01

201007-52y7t2889j 8

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07-10-2020 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asdodnj1119505.doc

  • Size

    1.1MB

  • MD5

    c4dc25fdbdc0b722de6cb190e08757ce

  • SHA1

    d52e95b887badf0081d66965913555a0b59f00e9

  • SHA256

    5e84efe4d51ed6e3de4aca32ec599edaf9fd1a2ff1a45dae5d471a53fd121e3e

  • SHA512

    7fe15ed619e2957ba3563c05c807e673f9927e1a4324c95114aca04dd30e1fc1dfb18a55a3840278b7ef1fe5346b242e6875c2228344302c51c3398c211c9a48

Score
10/10
trojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

2000010

Botnet

ono78

C2

195.123.239.59:443

85.143.219.36:443

94.250.254.84:443

94.250.255.217:443

212.80.219.98:443

91.210.171.82:443

45.8.230.108:443

194.156.98.172:443

195.2.93.227:443

62.108.35.179:443

91.200.101.192:443

194.5.249.31:443

195.123.241.157:443

104.161.32.10:443

88.150.197.186:443

62.108.35.204:443

45.155.173.196:443

51.89.177.18:443

194.5.249.107:443

195.123.241.182:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\asdodnj1119505.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\explorer.exe
      explorer c:\tabkey\pkmgsdgra.vbe
      2⤵
      • Process spawned unexpected child process
      PID:1060
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\tabkey\pkmgsdgra.vbe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\System32\rundll32.exe
        rundll32 c:\tabkey\pasodsjg\DVOBSNDSOG.dll,DllRegisterServer
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 c:\tabkey\pasodsjg\DVOBSNDSOG.dll,DllRegisterServer
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:300
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\tabkey\pkmgsdgra.vbe
    MD5

    1a79677bdaf8aaf431b0894eee99a63c

    SHA1

    b3bd5a0eb4edab681f14d09d9bef6776403deec9

    SHA256

    e93dbbbb9e9adeba9b59a2bd3d6412f691860aa1b73ad53049f3895d5d9054aa

    SHA512

    724b4045db61a6ca30ac184f55b8c6350a3d27c272a7b933d4590ad8dd1d24b72f38d30f616115ef4f00dba2d45a87472609427003b5e848132add4acb1c67da

    Download Submit
  • \??\c:\tabkey\pasodsjg\DVOBSNDSOG.dll
    MD5

    7c537f7a08f180c10cfe5a64741909b3

    SHA1

    09a41c9d0aa71a05daf10ef11fd615b6208b5db6

    SHA256

    c965159b432c96ca529d359e82bf92bf6b5199ff686d6a31c20ab7741c719df2

    SHA512

    fecb709fa35ff2bd059c0a244900c92b7560b8d12539baee161207824024cfbba15714ef8ce99fe4ad6333038f619d01b399a0d1be533379be8653b14a5460bc

    Download Submit
  • \tabkey\pasodsjg\DVOBSNDSOG.dll
    MD5

    7c537f7a08f180c10cfe5a64741909b3

    SHA1

    09a41c9d0aa71a05daf10ef11fd615b6208b5db6

    SHA256

    c965159b432c96ca529d359e82bf92bf6b5199ff686d6a31c20ab7741c719df2

    SHA512

    fecb709fa35ff2bd059c0a244900c92b7560b8d12539baee161207824024cfbba15714ef8ce99fe4ad6333038f619d01b399a0d1be533379be8653b14a5460bc

    Download Submit
  • \tabkey\pasodsjg\DVOBSNDSOG.dll
    MD5

    7c537f7a08f180c10cfe5a64741909b3

    SHA1

    09a41c9d0aa71a05daf10ef11fd615b6208b5db6

    SHA256

    c965159b432c96ca529d359e82bf92bf6b5199ff686d6a31c20ab7741c719df2

    SHA512

    fecb709fa35ff2bd059c0a244900c92b7560b8d12539baee161207824024cfbba15714ef8ce99fe4ad6333038f619d01b399a0d1be533379be8653b14a5460bc

    Download Submit
  • \tabkey\pasodsjg\DVOBSNDSOG.dll
    MD5

    7c537f7a08f180c10cfe5a64741909b3

    SHA1

    09a41c9d0aa71a05daf10ef11fd615b6208b5db6

    SHA256

    c965159b432c96ca529d359e82bf92bf6b5199ff686d6a31c20ab7741c719df2

    SHA512

    fecb709fa35ff2bd059c0a244900c92b7560b8d12539baee161207824024cfbba15714ef8ce99fe4ad6333038f619d01b399a0d1be533379be8653b14a5460bc

    Download Submit
  • \tabkey\pasodsjg\DVOBSNDSOG.dll
    MD5

    7c537f7a08f180c10cfe5a64741909b3

    SHA1

    09a41c9d0aa71a05daf10ef11fd615b6208b5db6

    SHA256

    c965159b432c96ca529d359e82bf92bf6b5199ff686d6a31c20ab7741c719df2

    SHA512

    fecb709fa35ff2bd059c0a244900c92b7560b8d12539baee161207824024cfbba15714ef8ce99fe4ad6333038f619d01b399a0d1be533379be8653b14a5460bc

    Download Submit
  • memory/300-12-0x0000000000000000-mapping.dmp
    Download
  • memory/300-17-0x00000000001C0000-0x00000000001F7000-memory.dmp
    Filesize

    220KB

    Download
  • memory/300-18-0x00000000002A0000-0x00000000002D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/544-9-0x0000000000000000-mapping.dmp
    Download
  • memory/756-10-0x00000000026B0000-0x00000000026B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/756-7-0x0000000000000000-mapping.dmp
    Download
  • memory/852-19-0x0000000000000000-mapping.dmp
    Download
  • memory/896-8-0x0000000004B80000-0x0000000004B84000-memory.dmp
    Filesize

    16KB

    Download
  • memory/896-1-0x0000000007190000-0x0000000007390000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/896-0-0x0000000002550000-0x0000000002554000-memory.dmp
    Filesize

    16KB

    Download
  • memory/896-6-0x0000000007DB0000-0x0000000007DB4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/896-2-0x0000000007190000-0x0000000007390000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1060-3-0x0000000000000000-mapping.dmp
    Download