nloader | bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

Resubmissions

18-03-2021 05:00

210318-qavf9s8tea 10

Analysis

max time kernel
69s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
18-03-2021 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Form_1004276.xlsb
Size

277KB
MD5

830ee920796185f6ef36dc8962ce8cb8
SHA1

89ee9b135716f6aca200d268bf270d28e29d21d7
SHA256

bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58
SHA512

a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Score

10^/10

nloader trickbot rev3 banker loader trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

trickbot

Version

100013

Botnet

rev3

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1788	1724	certutil.exe	24
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	416	1724	rundll32.exe	24

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Nloader Payload 4 IoCs

resource	yara_rule
behavioral1/memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral1/memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmp	nloader
behavioral1/memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmp	nloader
behavioral1/memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmp	nloader

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

resource	yara_rule
behavioral1/memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmp	templ_dll
behavioral1/memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmp	templ_dll
behavioral1/memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmp	templ_dll

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	416	rundll32.exe
4	416	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
416	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1724	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	wermgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1724	EXCEL.EXE
1724	EXCEL.EXE
1724	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	27
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	27
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	27
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	27
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	32
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 416 wrote to memory of 928	416	rundll32.exe	34
PID 928 wrote to memory of 1804	928	rundll32.exe	35
PID 928 wrote to memory of 1804	928	rundll32.exe	35
PID 928 wrote to memory of 1804	928	rundll32.exe	35
PID 928 wrote to memory of 1804	928	rundll32.exe	35
PID 928 wrote to memory of 1432	928	rundll32.exe	36
PID 928 wrote to memory of 1432	928	rundll32.exe	36
PID 928 wrote to memory of 1432	928	rundll32.exe	36
PID 928 wrote to memory of 1432	928	rundll32.exe	36
PID 928 wrote to memory of 1432	928	rundll32.exe	36
PID 928 wrote to memory of 1432	928	rundll32.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Form_1004276.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi.png C:\Users\Public\jahi.pn
  2⤵
  - Process spawned unexpected child process
  PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\SysWOW64\rundll32.exe
    C:\ProgramData\kgff\kgff.dll,DllRegisterServer1
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      4⤵
      PID:1804
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/928-34-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmp

Filesize
216KB

Download
memory/928-29-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/928-31-0x00000000001F1000-0x00000000001F3000-memory.dmp

Filesize
8KB

Download
memory/928-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmp

Filesize
228KB

Download
memory/1432-32-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1432-33-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1724-2-0x000000002FFF1000-0x000000002FFF4000-memory.dmp

Filesize
12KB

Download
memory/1724-3-0x0000000071C61000-0x0000000071C63000-memory.dmp

Filesize
8KB

Download
memory/1724-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1788-7-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2024-5-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads