Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 11:50
Static task
static1
Behavioral task
behavioral1
Sample
ORDER787-5.xls
Resource
win7v20201028
General
-
Target
ORDER787-5.xls
-
Size
161KB
-
MD5
1d97c6cb50c4107498e4f0e76f539f0c
-
SHA1
a4dc090837c76aed324bea19c9f62e2d47bb7bc8
-
SHA256
1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4
-
SHA512
08c580cbb19b3684f96ab82ec358ca42b796d52045c71d7f794f91d745b62f184d0b1c6842dd6577fb2a0b762bd236f1d1d593b3c592767788fda08739b025a3
Malware Config
Extracted
trickbot
100009
rob33
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 996 3992 rundll32.exe EXCEL.EXE -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/2144-7-0x0000000000F20000-0x0000000000F59000-memory.dmp templ_dll behavioral2/memory/2144-8-0x0000000000F60000-0x0000000000F98000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2144 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3992 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1432 wermgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 3992 wrote to memory of 996 3992 EXCEL.EXE rundll32.exe PID 3992 wrote to memory of 996 3992 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 2144 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 2144 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 2144 996 rundll32.exe rundll32.exe PID 2144 wrote to memory of 1432 2144 rundll32.exe wermgr.exe PID 2144 wrote to memory of 1432 2144 rundll32.exe wermgr.exe PID 2144 wrote to memory of 1432 2144 rundll32.exe wermgr.exe PID 2144 wrote to memory of 1432 2144 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER787-5.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\ProgramData\activex.ocx, DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\activex.ocx, DllRegisterServer3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\activex.ocxMD5
1a57412ab2edd77103fd75768ba146dd
SHA181599a9b526c16b2a0a82cadcb8acaac6781ec81
SHA2567ab75bc888c6dd0457098d4539d9c86c3f1358a3b0c1a262f2bb8287e2bac917
SHA5127679b32035d95e5563ead9d54d8ef810c20913da702d983a23c66fc51e9f00647556bee2ba48803bd13b1340744c78aaea835bb9c247e616480595043de9566a
-
\ProgramData\activex.ocxMD5
1a57412ab2edd77103fd75768ba146dd
SHA181599a9b526c16b2a0a82cadcb8acaac6781ec81
SHA2567ab75bc888c6dd0457098d4539d9c86c3f1358a3b0c1a262f2bb8287e2bac917
SHA5127679b32035d95e5563ead9d54d8ef810c20913da702d983a23c66fc51e9f00647556bee2ba48803bd13b1340744c78aaea835bb9c247e616480595043de9566a
-
memory/996-3-0x0000000000000000-mapping.dmp
-
memory/1432-9-0x0000000000000000-mapping.dmp
-
memory/2144-5-0x0000000000000000-mapping.dmp
-
memory/2144-7-0x0000000000F20000-0x0000000000F59000-memory.dmpFilesize
228KB
-
memory/2144-8-0x0000000000F60000-0x0000000000F98000-memory.dmpFilesize
224KB
-
memory/3992-2-0x00007FFCC0A10000-0x00007FFCC1047000-memory.dmpFilesize
6.2MB