Overview

overview

10

Static

static

8

Document_11_9.doc

windows7_x64

10

Document_11_9.doc

windows10_x64

1

Resubmissions

10-11-2020 14:09

201110-j4kq1f84yn 10

10-11-2020 13:52

201110-tjb64jlajj 10

10-11-2020 13:37

201110-ad9dyxzvqj 8

10-11-2020 13:27

201110-kb2vhm8a22 8

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-11-2020 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_11_9.doc

  • Size

    1.2MB

  • MD5

    bc0cc1e707b236fbd5cf9b27ff3c9461

  • SHA1

    8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924

  • SHA256

    dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe

  • SHA512

    df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688

Score
10/10
trickbottar2bankertrojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Document_11_9.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2028
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\EXPLORER.EXE
      EXPLORER.EXE C:\Artrite\SarilumabSAR153191.vbe
      2⤵
      • Process spawned unexpected child process
      PID:1160
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Artrite\SarilumabSAR153191.vbe"
      2⤵
        PID:1544
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\EXPLORER.EXE
        EXPLORER.EXE C:\Artrite\Final_Joana\asdpogasdjabn.exe
        2⤵
        • Process spawned unexpected child process
        PID:1928
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Artrite\Final_Joana\asdpogasdjabn.exe
        "C:\Artrite\Final_Joana\asdpogasdjabn.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Artrite\Final_Joana\asdpogasdjabn.exe
      MD5

      3ba7d3dbc17ce640e0bb3dd5f989169b

      SHA1

      84ee0b6e02339f1deb33d75693551db444923ba8

      SHA256

      52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

      SHA512

      3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

      Download Submit
    • C:\Artrite\Final_Joana\asdpogasdjabn.exe
      MD5

      3ba7d3dbc17ce640e0bb3dd5f989169b

      SHA1

      84ee0b6e02339f1deb33d75693551db444923ba8

      SHA256

      52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

      SHA512

      3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

      Download Submit
    • C:\Artrite\SarilumabSAR153191.vbe
      MD5

      6f2314cbd7bffa272bbfb31ac8130424

      SHA1

      5b40478da6e5b7686fcec2d9688290cafc7cc728

      SHA256

      f9777b111637d3d9994717dba4565a49e5218048d2bf15ad6799a5b43f4dc8d7

      SHA512

      0f387fd35a4d062853c8f7d22693aace323892465ac2ab818edf553ea56436577e6d0caee5b8f98f13d80f076ae3e4e864e16b87e19d826a4232a687fcba6012

      Download Submit
    • memory/580-20-0x00000000003C0000-0x00000000003FA000-memory.dmp
      Filesize

      232KB

      Download
    • memory/580-19-0x0000000000340000-0x000000000037E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/580-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1160-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1544-15-0x0000000002760000-0x0000000002764000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1544-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-21-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-14-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-13-0x00000000047D0000-0x00000000047D4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2028-2-0x000000000055D000-0x000000000055F000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-12-0x0000000009AB0000-0x0000000009AB4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2028-1-0x00000000004D2000-0x00000000004D6000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2028-11-0x0000000007230000-0x0000000007234000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2028-10-0x0000000009430000-0x0000000009434000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2028-0-0x00000000061C0000-0x00000000061C4000-memory.dmp
      Filesize

      16KB

      Download