Analysis
-
max time kernel
70s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-02-2021 20:05
Behavioral task
behavioral1
Sample
Attach_1344833645_1944784007.xls
Resource
win7v20201028
General
-
Target
Attach_1344833645_1944784007.xls
-
Size
141KB
-
MD5
d565aff6f0f8712bd3a7529e19a8a419
-
SHA1
ff573e49876b159f8821f9c8abfa6c344a5ed275
-
SHA256
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54
-
SHA512
4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e
Malware Config
Extracted
trickbot
2000026
rob16
154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
201.184.190.59:449
111.235.66.83:443
187.19.200.154:449
186.195.199.238:449
103.84.164.87:443
117.212.193.62:449
190.152.71.230:443
37.235.230.123:449
103.119.117.42:443
177.47.88.62:443
103.146.2.152:449
102.164.211.138:449
182.48.66.106:443
178.54.230.164:443
221.176.88.201:449
167.179.194.205:443
179.60.243.52:443
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1292 1152 rundll32.exe EXCEL.EXE -
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/2712-12-0x0000000001030000-0x0000000001067000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2712 rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ident.me 35 ident.me -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1152 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3912 wermgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1152 EXCEL.EXE 1152 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE 1152 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 1152 wrote to memory of 1292 1152 EXCEL.EXE rundll32.exe PID 1152 wrote to memory of 1292 1152 EXCEL.EXE rundll32.exe PID 1292 wrote to memory of 2712 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 2712 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 2712 1292 rundll32.exe rundll32.exe PID 2712 wrote to memory of 3912 2712 rundll32.exe wermgr.exe PID 2712 wrote to memory of 3912 2712 rundll32.exe wermgr.exe PID 2712 wrote to memory of 3912 2712 rundll32.exe wermgr.exe PID 2712 wrote to memory of 3912 2712 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Attach_1344833645_1944784007.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\TDCS.OKDFR,DllRegisterServer12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\TDCS.OKDFR,DllRegisterServer13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TDCS.OKDFRMD5
884dab96c679194fc5140322d5ce9e9d
SHA1e7277a259a6f05bb74c14324f97b9513c8d4d9e5
SHA2565b6661b43c17ad12172c4327aa4b79be8bcf1c421cb08d6bff19f7e26282e9d8
SHA512b3c18425d6c6712f7e7c31909af128628aa95af55f1de7632399276b630e8be9448fb10d5c29e77ac83522bf130e34cd1a3a7ad5875876a60e5a3069e7340b30
-
\Users\Admin\TDCS.OKDFRMD5
884dab96c679194fc5140322d5ce9e9d
SHA1e7277a259a6f05bb74c14324f97b9513c8d4d9e5
SHA2565b6661b43c17ad12172c4327aa4b79be8bcf1c421cb08d6bff19f7e26282e9d8
SHA512b3c18425d6c6712f7e7c31909af128628aa95af55f1de7632399276b630e8be9448fb10d5c29e77ac83522bf130e34cd1a3a7ad5875876a60e5a3069e7340b30
-
memory/1152-3-0x00007FFB31D10000-0x00007FFB31D20000-memory.dmpFilesize
64KB
-
memory/1152-4-0x00007FFB31D10000-0x00007FFB31D20000-memory.dmpFilesize
64KB
-
memory/1152-5-0x00007FFB55F10000-0x00007FFB56547000-memory.dmpFilesize
6.2MB
-
memory/1152-6-0x00007FFB31D10000-0x00007FFB31D20000-memory.dmpFilesize
64KB
-
memory/1152-7-0x00007FFB2E6E0000-0x00007FFB2E6F0000-memory.dmpFilesize
64KB
-
memory/1152-2-0x00007FFB31D10000-0x00007FFB31D20000-memory.dmpFilesize
64KB
-
memory/1292-8-0x0000000000000000-mapping.dmp
-
memory/2712-10-0x0000000000000000-mapping.dmp
-
memory/2712-12-0x0000000001030000-0x0000000001067000-memory.dmpFilesize
220KB
-
memory/2712-14-0x0000000001150000-0x0000000001191000-memory.dmpFilesize
260KB
-
memory/2712-16-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/2712-15-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/3912-13-0x0000000000000000-mapping.dmp
-
memory/3912-17-0x00000218A28E0000-0x00000218A2908000-memory.dmpFilesize
160KB
-
memory/3912-18-0x00000218A29F0000-0x00000218A29F1000-memory.dmpFilesize
4KB