Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 18:56
Behavioral task
behavioral1
Sample
Attachment_777622.xlsb
Resource
win7v20201028
General
-
Target
Attachment_777622.xlsb
-
Size
81KB
-
MD5
3079d4778cfc7959eb2a7e54a57769a4
-
SHA1
13074fe13d6dd531e4f5293c3e15eaa8ed6208a4
-
SHA256
aed5f5bbec1f7f8ea9010f7388f76b801b443c5ce691d0c008b6058f290e51da
-
SHA512
09a6cb132c84a015b504ce7e10c700dd4b78a36b1d514b4d8f92dca444017aec883a71600776e41ec9924f786cb9aed0256beccc541ac665566fd99875272eb5
Malware Config
Extracted
trickbot
100012
mon88
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
187.20.217.129:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4468 4688 rundll32.exe EXCEL.EXE -
Templ.dll packer 3 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/4488-11-0x0000000004730000-0x0000000004769000-memory.dmp templ_dll behavioral2/memory/4488-12-0x00000000049E0000-0x0000000004A17000-memory.dmp templ_dll behavioral2/memory/4488-13-0x00000000046E0000-0x0000000004716000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4488 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 ip.anysrc.net -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 840 wermgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE 4688 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 4688 wrote to memory of 4468 4688 EXCEL.EXE rundll32.exe PID 4688 wrote to memory of 4468 4688 EXCEL.EXE rundll32.exe PID 4468 wrote to memory of 4488 4468 rundll32.exe rundll32.exe PID 4468 wrote to memory of 4488 4468 rundll32.exe rundll32.exe PID 4468 wrote to memory of 4488 4468 rundll32.exe rundll32.exe PID 4488 wrote to memory of 640 4488 rundll32.exe wermgr.exe PID 4488 wrote to memory of 640 4488 rundll32.exe wermgr.exe PID 4488 wrote to memory of 840 4488 rundll32.exe wermgr.exe PID 4488 wrote to memory of 840 4488 rundll32.exe wermgr.exe PID 4488 wrote to memory of 840 4488 rundll32.exe wermgr.exe PID 4488 wrote to memory of 840 4488 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Attachment_777622.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\qoqw\1554.dll,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\qoqw\1554.dll,DllRegisterServer3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵PID:640
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qoqw\1554.dllMD5
10dcb25376d06bc580d053b982f2d9a3
SHA1a05fcb08123e2ce5385081ce5b57e6dd211b9c3c
SHA25607048e9764891e39f3e37c72c8ca33a6a01cbd359cd47c12a3af7726769e83b8
SHA512d377b20f6d6ef9133694e2f776a117307dace1756c00634871f8aac7ab586cd2da982c01715b41b0a4d2a40b6ec621b8f1f4db77fad5df104f1d3de074eb1381
-
\ProgramData\qoqw\1554.dllMD5
10dcb25376d06bc580d053b982f2d9a3
SHA1a05fcb08123e2ce5385081ce5b57e6dd211b9c3c
SHA25607048e9764891e39f3e37c72c8ca33a6a01cbd359cd47c12a3af7726769e83b8
SHA512d377b20f6d6ef9133694e2f776a117307dace1756c00634871f8aac7ab586cd2da982c01715b41b0a4d2a40b6ec621b8f1f4db77fad5df104f1d3de074eb1381
-
memory/840-19-0x000002339C600000-0x000002339C601000-memory.dmpFilesize
4KB
-
memory/840-18-0x000002339C4E0000-0x000002339C508000-memory.dmpFilesize
160KB
-
memory/840-15-0x0000000000000000-mapping.dmp
-
memory/4468-7-0x0000000000000000-mapping.dmp
-
memory/4488-13-0x00000000046E0000-0x0000000004716000-memory.dmpFilesize
216KB
-
memory/4488-9-0x0000000000000000-mapping.dmp
-
memory/4488-11-0x0000000004730000-0x0000000004769000-memory.dmpFilesize
228KB
-
memory/4488-12-0x00000000049E0000-0x0000000004A17000-memory.dmpFilesize
220KB
-
memory/4488-14-0x0000000004DA0000-0x0000000004DE3000-memory.dmpFilesize
268KB
-
memory/4488-17-0x0000000004A21000-0x0000000004A23000-memory.dmpFilesize
8KB
-
memory/4488-16-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4688-6-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-5-0x00007FFEEABA0000-0x00007FFEEB1D7000-memory.dmpFilesize
6.2MB
-
memory/4688-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB