Resubmissions

10-11-2020 14:09

201110-j4kq1f84yn 10

10-11-2020 13:52

201110-tjb64jlajj 10

10-11-2020 13:37

201110-ad9dyxzvqj 8

10-11-2020 13:27

201110-kb2vhm8a22 8

Analysis

  • max time kernel
    521s
  • max time network
    548s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-11-2020 14:09

General

  • Target

    Document_11_9.doc

  • Size

    1.2MB

  • MD5

    bc0cc1e707b236fbd5cf9b27ff3c9461

  • SHA1

    8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924

  • SHA256

    dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe

  • SHA512

    df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Modifies service 2 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 280 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 733 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Document_11_9.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:532
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\SysWOW64\EXPLORER.EXE
        EXPLORER.EXE C:\Artrite\SarilumabSAR153191.vbe
        2⤵
        • Process spawned unexpected child process
        PID:912
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Artrite\SarilumabSAR153191.vbe"
        2⤵
          PID:852
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\EXPLORER.EXE
          EXPLORER.EXE C:\Artrite\Final_Joana\asdpogasdjabn.exe
          2⤵
          • Process spawned unexpected child process
          PID:1096
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Artrite\Final_Joana\asdpogasdjabn.exe
          "C:\Artrite\Final_Joana\asdpogasdjabn.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            3⤵
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1140
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe
              4⤵
              • Blacklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:904
              • C:\Windows\system32\ipconfig.exe
                ipconfig /all
                5⤵
                • Modifies service
                • Gathers network information
                PID:1496
              • C:\Windows\system32\net.exe
                net config workstation
                5⤵
                  PID:1656
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 config workstation
                    6⤵
                      PID:1212
                  • C:\Windows\system32\net.exe
                    net view /all
                    5⤵
                    • Discovers systems in the same network
                    PID:1316
                  • C:\Windows\system32\net.exe
                    net view /all /domain
                    5⤵
                    • Discovers systems in the same network
                    PID:1976
                  • C:\Windows\system32\nltest.exe
                    nltest /domain_trusts
                    5⤵
                      PID:1868
                    • C:\Windows\system32\nltest.exe
                      nltest /domain_trusts /all_trusts
                      5⤵
                        PID:1160

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Execution

              Command-Line Interface

              1
              T1059

              Persistence

              Modify Existing Service

              1
              T1031

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Remote System Discovery

              1
              T1018

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Collection

              Data from Local System

              1
              T1005

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Artrite\Final_Joana\asdpogasdjabn.exe
                MD5

                3ba7d3dbc17ce640e0bb3dd5f989169b

                SHA1

                84ee0b6e02339f1deb33d75693551db444923ba8

                SHA256

                52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

                SHA512

                3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

              • C:\Artrite\Final_Joana\asdpogasdjabn.exe
                MD5

                3ba7d3dbc17ce640e0bb3dd5f989169b

                SHA1

                84ee0b6e02339f1deb33d75693551db444923ba8

                SHA256

                52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

                SHA512

                3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

              • C:\Artrite\SarilumabSAR153191.vbe
                MD5

                6f2314cbd7bffa272bbfb31ac8130424

                SHA1

                5b40478da6e5b7686fcec2d9688290cafc7cc728

                SHA256

                f9777b111637d3d9994717dba4565a49e5218048d2bf15ad6799a5b43f4dc8d7

                SHA512

                0f387fd35a4d062853c8f7d22693aace323892465ac2ab818edf553ea56436577e6d0caee5b8f98f13d80f076ae3e4e864e16b87e19d826a4232a687fcba6012

              • \??\PIPE\NETLOGON
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • memory/532-0-0x0000000000000000-mapping.dmp
              • memory/852-8-0x0000000000000000-mapping.dmp
              • memory/852-17-0x0000000002800000-0x0000000002804000-memory.dmp
                Filesize

                16KB

              • memory/904-69-0x0000000000290000-0x0000000000290080-memory.dmp
                Filesize

                128B

              • memory/904-120-0x0000000000250000-0x0000000000250188-memory.dmp
                Filesize

                392B

              • memory/904-68-0x0000000180000000-0x0000000180016000-memory.dmp
                Filesize

                88KB

              • memory/904-66-0x0000000180000000-0x0000000180016000-memory.dmp
                Filesize

                88KB

              • memory/904-122-0x0000000000230000-0x000000000023000D-memory.dmp
                Filesize

                13B

              • memory/904-109-0x0000000000250000-0x0000000000250188-memory.dmp
                Filesize

                392B

              • memory/904-104-0x0000000000290000-0x0000000000290080-memory.dmp
                Filesize

                128B

              • memory/904-72-0x0000000000230000-0x000000000023000D-memory.dmp
                Filesize

                13B

              • memory/904-71-0x0000000000240000-0x0000000000240400-memory.dmp
                Filesize

                1024B

              • memory/904-58-0x0000000000000000-mapping.dmp
              • memory/912-6-0x0000000000000000-mapping.dmp
              • memory/1096-15-0x0000000000000000-mapping.dmp
              • memory/1140-23-0x0000000000000000-mapping.dmp
              • memory/1140-35-0x00000000000D0000-0x00000000000D1000-memory.dmp
                Filesize

                4KB

              • memory/1140-36-0x00000000000C0000-0x00000000000C0017-memory.dmp
                Filesize

                23B

              • memory/1140-123-0x00000000000C0000-0x00000000000C0017-memory.dmp
                Filesize

                23B

              • memory/1144-22-0x0000000000000000-mapping.dmp
              • memory/1160-118-0x0000000000000000-mapping.dmp
              • memory/1208-20-0x00000000004B0000-0x00000000004EE000-memory.dmp
                Filesize

                248KB

              • memory/1208-21-0x00000000004F0000-0x000000000052A000-memory.dmp
                Filesize

                232KB

              • memory/1208-18-0x0000000000000000-mapping.dmp
              • memory/1212-113-0x0000000000000000-mapping.dmp
              • memory/1316-114-0x0000000000000000-mapping.dmp
              • memory/1496-110-0x0000000000000000-mapping.dmp
              • memory/1656-112-0x0000000000000000-mapping.dmp
              • memory/1660-4-0x0000000000762000-0x0000000000766000-memory.dmp
                Filesize

                16KB

              • memory/1660-12-0x00000000069C0000-0x00000000069C4000-memory.dmp
                Filesize

                16KB

              • memory/1660-13-0x0000000009DD0000-0x0000000009DD4000-memory.dmp
                Filesize

                16KB

              • memory/1660-11-0x0000000009620000-0x0000000009624000-memory.dmp
                Filesize

                16KB

              • memory/1660-9-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
                Filesize

                4KB

              • memory/1660-5-0x00000000063B3000-0x00000000063B7000-memory.dmp
                Filesize

                16KB

              • memory/1660-14-0x0000000004670000-0x0000000004674000-memory.dmp
                Filesize

                16KB

              • memory/1660-3-0x0000000000762000-0x0000000000766000-memory.dmp
                Filesize

                16KB

              • memory/1660-2-0x0000000000762000-0x0000000000766000-memory.dmp
                Filesize

                16KB

              • memory/1660-1-0x0000000004E40000-0x0000000004E44000-memory.dmp
                Filesize

                16KB

              • memory/1868-117-0x0000000000000000-mapping.dmp
              • memory/1976-115-0x0000000000000000-mapping.dmp