Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 21:28
Behavioral task
behavioral1
Sample
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54.xls
Resource
win10v20201028
General
-
Target
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54.xls
-
Size
141KB
-
MD5
d565aff6f0f8712bd3a7529e19a8a419
-
SHA1
ff573e49876b159f8821f9c8abfa6c344a5ed275
-
SHA256
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54
-
SHA512
4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e
Malware Config
Extracted
http://bearcatpumps.com.cn/css/tolkio.php
Extracted
trickbot
2000026
rob16
154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
201.184.190.59:449
111.235.66.83:443
187.19.200.154:449
186.195.199.238:449
103.84.164.87:443
117.212.193.62:449
190.152.71.230:443
37.235.230.123:449
103.119.117.42:443
177.47.88.62:443
103.146.2.152:449
102.164.211.138:449
182.48.66.106:443
178.54.230.164:443
221.176.88.201:449
167.179.194.205:443
179.60.243.52:443
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 552 1740 rundll32.exe EXCEL.EXE -
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/552-10-0x0000000000230000-0x0000000000267000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 552 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 wtfismyip.com -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1352 wermgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE 1740 EXCEL.EXE 1740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 1740 wrote to memory of 552 1740 EXCEL.EXE rundll32.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe PID 552 wrote to memory of 1352 552 rundll32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\TDCS.OKDFR,DllRegisterServer12⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TDCS.OKDFRMD5
884dab96c679194fc5140322d5ce9e9d
SHA1e7277a259a6f05bb74c14324f97b9513c8d4d9e5
SHA2565b6661b43c17ad12172c4327aa4b79be8bcf1c421cb08d6bff19f7e26282e9d8
SHA512b3c18425d6c6712f7e7c31909af128628aa95af55f1de7632399276b630e8be9448fb10d5c29e77ac83522bf130e34cd1a3a7ad5875876a60e5a3069e7340b30
-
\Users\Admin\TDCS.OKDFRMD5
884dab96c679194fc5140322d5ce9e9d
SHA1e7277a259a6f05bb74c14324f97b9513c8d4d9e5
SHA2565b6661b43c17ad12172c4327aa4b79be8bcf1c421cb08d6bff19f7e26282e9d8
SHA512b3c18425d6c6712f7e7c31909af128628aa95af55f1de7632399276b630e8be9448fb10d5c29e77ac83522bf130e34cd1a3a7ad5875876a60e5a3069e7340b30
-
memory/552-10-0x0000000000230000-0x0000000000267000-memory.dmpFilesize
220KB
-
memory/552-14-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/552-13-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/552-12-0x00000000008A0000-0x00000000008E1000-memory.dmpFilesize
260KB
-
memory/552-6-0x0000000000000000-mapping.dmp
-
memory/552-7-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1144-5-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1352-11-0x0000000000000000-mapping.dmp
-
memory/1352-15-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1352-16-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1740-2-0x000000002F341000-0x000000002F344000-memory.dmpFilesize
12KB
-
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-3-0x00000000715E1000-0x00000000715E3000-memory.dmpFilesize
8KB