Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-12-2020 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Document_1452730543.xls
Resource
win7v20201028
General
-
Target
Document_1452730543.xls
-
Size
45KB
-
MD5
ff0c9c2a9193dab84e4f3fe426c56c54
-
SHA1
e4f5866918418e3c7b00bfcba16993b0eb1796cf
-
SHA256
8d8e5f67621739e6b1d56bcd0748949d35ecdcb9cbb903b298d351e0df1402cf
-
SHA512
80e2e32711481e0759a100648c6445f1c9e4a58a21f561833f7f0f819c98aba792561def14c64edd2335415b9ae4d2a62130fe31300edec38b4c71639fadcb83
Malware Config
Extracted
trickbot
100008
rob33
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2124 972 rundll32.exe EXCEL.EXE -
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/508-7-0x00000000028C0000-0x00000000028F8000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 508 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
EXCEL.EXEdescription ioc process File opened (read-only) \??\S: EXCEL.EXE File opened (read-only) \??\V: EXCEL.EXE File opened (read-only) \??\Y: EXCEL.EXE File opened (read-only) \??\I: EXCEL.EXE File opened (read-only) \??\P: EXCEL.EXE File opened (read-only) \??\R: EXCEL.EXE File opened (read-only) \??\U: EXCEL.EXE File opened (read-only) \??\Z: EXCEL.EXE File opened (read-only) \??\G: EXCEL.EXE File opened (read-only) \??\L: EXCEL.EXE File opened (read-only) \??\M: EXCEL.EXE File opened (read-only) \??\J: EXCEL.EXE File opened (read-only) \??\K: EXCEL.EXE File opened (read-only) \??\N: EXCEL.EXE File opened (read-only) \??\O: EXCEL.EXE File opened (read-only) \??\Q: EXCEL.EXE File opened (read-only) \??\B: EXCEL.EXE File opened (read-only) \??\E: EXCEL.EXE File opened (read-only) \??\F: EXCEL.EXE File opened (read-only) \??\X: EXCEL.EXE File opened (read-only) \??\W: EXCEL.EXE File opened (read-only) \??\A: EXCEL.EXE File opened (read-only) \??\H: EXCEL.EXE File opened (read-only) \??\T: EXCEL.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 checkip.amazonaws.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 972 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3892 wermgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE 972 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 972 wrote to memory of 2124 972 EXCEL.EXE rundll32.exe PID 972 wrote to memory of 2124 972 EXCEL.EXE rundll32.exe PID 2124 wrote to memory of 508 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 508 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 508 2124 rundll32.exe rundll32.exe PID 508 wrote to memory of 3892 508 rundll32.exe wermgr.exe PID 508 wrote to memory of 3892 508 rundll32.exe wermgr.exe PID 508 wrote to memory of 3892 508 rundll32.exe wermgr.exe PID 508 wrote to memory of 3892 508 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_1452730543.xls"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\AppData\Roaming\JKER.UUIIKKAA,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\AppData\Roaming\JKER.UUIIKKAA,DllRegisterServer3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\JKER.UUIIKKAAMD5
57ee70462da3c968d4ef8466e2855418
SHA1c653f707d23ea22c65bdc88e6f6a310f83f8cdf8
SHA256e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4
SHA51260aef8af216bad129ebbac1c11804187fa6227ddf5f2836055d59f43318121751ab74df98a6e3fb8b6e7f74fb0c563acbebcbe5ac36c35c89369e4459f29c6c4
-
\Users\Admin\AppData\Roaming\JKER.UUIIKKAAMD5
57ee70462da3c968d4ef8466e2855418
SHA1c653f707d23ea22c65bdc88e6f6a310f83f8cdf8
SHA256e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4
SHA51260aef8af216bad129ebbac1c11804187fa6227ddf5f2836055d59f43318121751ab74df98a6e3fb8b6e7f74fb0c563acbebcbe5ac36c35c89369e4459f29c6c4
-
memory/508-5-0x0000000000000000-mapping.dmp
-
memory/508-7-0x00000000028C0000-0x00000000028F8000-memory.dmpFilesize
224KB
-
memory/972-2-0x00007FFA6A5A0000-0x00007FFA6ABD7000-memory.dmpFilesize
6.2MB
-
memory/2124-3-0x0000000000000000-mapping.dmp
-
memory/3892-8-0x0000000000000000-mapping.dmp