Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 18:35
General
-
Target
Document931215825.xls
-
Size
53KB
-
MD5
7054f04adc0695c6c8a1853526e13468
-
SHA1
dd8e0f4b4fe228985acaad81c7a8af5c575e3b0e
-
SHA256
62d8cab8ec8b81bf3bd5a75ceca7b12bb2b26f4a40ded2320fdcfd33a49349d7
-
SHA512
afa7d010c4b36cc681cef843964fb008b7d95e68501b9566cbc073038f5b1380e73aacbd187ac3694673a3c90453931a5479a61fb23138bc28d1d8425bece723
Malware Config
Extracted
trickbot
100006
rob20
80.242.220.146:449
177.221.108.198:449
41.243.29.182:449
178.134.55.190:449
194.5.249.71:443
195.123.242.207:443
184.95.51.178:443
94.158.245.90:443
192.3.247.125:443
156.96.47.3:443
192.3.73.165:443
192.119.171.230:443
141.136.0.42:443
45.12.110.206:443
5.34.180.168:443
195.123.242.202:443
196.45.140.146:449
103.250.70.163:443
103.87.25.220:443
118.69.133.4:443
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 105 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 67 IoCs
-
Suspicious use of SendNotifyMessage 67 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document931215825.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
bd1f17c3f5f6d4b8b97bcb4d330daec4
SHA1a567f1016f657c93784762925cfcfa7c8ea7b840
SHA256c91623796d2ebc3fc11faf8f9578b56fd4f61a06dec26f5648b9372ae30240da
SHA5120e03ad245df2837ab36ce1387a64aae35b703af2f21e61b1a10fae3f02ffa1eb53f68914ebba27673d3ec69d44d3dc7004d77d97fee1007b5ffdfb9e373db21a
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
bd1f17c3f5f6d4b8b97bcb4d330daec4
SHA1a567f1016f657c93784762925cfcfa7c8ea7b840
SHA256c91623796d2ebc3fc11faf8f9578b56fd4f61a06dec26f5648b9372ae30240da
SHA5120e03ad245df2837ab36ce1387a64aae35b703af2f21e61b1a10fae3f02ffa1eb53f68914ebba27673d3ec69d44d3dc7004d77d97fee1007b5ffdfb9e373db21a
-
memory/1340-10-0x0000000010000000-0x0000000010038000-memory.dmpFilesize
224KB
-
memory/1340-7-0x0000000000000000-mapping.dmp
-
memory/1340-9-0x0000000004440000-0x0000000004479000-memory.dmpFilesize
228KB
-
memory/1628-2-0x00007FF81FB70000-0x00007FF8201A7000-memory.dmpFilesize
6.2MB
-
memory/2100-11-0x0000000000000000-mapping.dmp
-
memory/2300-5-0x0000000000000000-mapping.dmp
-
memory/3440-12-0x000001FEEA95A000-0x000001FEEAA73000-memory.dmpFilesize
1.1MB
-
memory/3440-13-0x000001FEEA95A000-0x000001FEEAA73000-memory.dmpFilesize
1.1MB
-
memory/3440-15-0x000001FEEA95A000-0x000001FEEAA73000-memory.dmpFilesize
1.1MB
-
memory/3440-17-0x000001FEEA95A000-0x000001FEEAA73000-memory.dmpFilesize
1.1MB
-
memory/3440-19-0x000001FEEA95A000-0x000001FEEAA73000-memory.dmpFilesize
1.1MB