Resubmissions
18-03-2021 05:00
210318-qavf9s8tea 10Analysis
-
max time kernel
69s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-03-2021 05:00
Behavioral task
behavioral1
Sample
Form_1004276.xlsb
Resource
win7v20201028
General
-
Target
Form_1004276.xlsb
-
Size
277KB
-
MD5
830ee920796185f6ef36dc8962ce8cb8
-
SHA1
89ee9b135716f6aca200d268bf270d28e29d21d7
-
SHA256
bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58
-
SHA512
a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde
Malware Config
Extracted
Extracted
trickbot
100013
rev3
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1788 1724 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 416 1724 rundll32.exe EXCEL.EXE -
Nloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral1/memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmp nloader behavioral1/memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmp nloader behavioral1/memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmp nloader -
Templ.dll packer 3 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmp templ_dll behavioral1/memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmp templ_dll behavioral1/memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmp templ_dll -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 416 rundll32.exe 4 416 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exepid process 416 rundll32.exe 928 rundll32.exe 928 rundll32.exe 928 rundll32.exe 928 rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1724 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1432 wermgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 1788 1724 EXCEL.EXE certutil.exe PID 1724 wrote to memory of 1788 1724 EXCEL.EXE certutil.exe PID 1724 wrote to memory of 1788 1724 EXCEL.EXE certutil.exe PID 1724 wrote to memory of 1788 1724 EXCEL.EXE certutil.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 1724 wrote to memory of 416 1724 EXCEL.EXE rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 928 416 rundll32.exe rundll32.exe PID 928 wrote to memory of 1804 928 rundll32.exe cmd.exe PID 928 wrote to memory of 1804 928 rundll32.exe cmd.exe PID 928 wrote to memory of 1804 928 rundll32.exe cmd.exe PID 928 wrote to memory of 1804 928 rundll32.exe cmd.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe PID 928 wrote to memory of 1432 928 rundll32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Form_1004276.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi.png C:\Users\Public\jahi.pn2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\ProgramData\kgff\kgff.dll,DllRegisterServer13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe4⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8ebMD5
d7944279eeaa77dd3d90638823c1010b
SHA10e49b20e54ec71a87fbbb47d95efeb037f2859ee
SHA2568a74ae6a59b4d68419e0ae22fb34aec277666a06c17341f98055b9eb559cdeb6
SHA51279e64b33b2f2643d11b2125d672055afba65d53057aae82a75fbacf79455a86873b6fa463a3a21c95c5e8c89edc1a0bb4afb43d32cb9349da09947f352cd3c4f
-
C:\Users\Public\jahi.pnMD5
8539346052a26e7afb4c7e4331c88448
SHA16be665d2139f14759a025543b83c4c0cbff70687
SHA256492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303
SHA5124d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753
-
C:\Users\Public\jahi.pngMD5
7be842ccd981433524987be60ba7b1ef
SHA15b381967f9e9d9851aea1e8e3415a0c8f16de860
SHA256b52c8cd5955ac0de222514ef85cfc25e7027c1a069f771510bac8620e4438892
SHA512372b9612a563bfd9d65b58a4c9a2973d66f9a654e6b8d275a4c83906defd6d3b5d33174288ea77a5f82b719cd26244c95bab5d38ca071e57536a474447a5861b
-
\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
\Users\Public\jahi.pnMD5
8539346052a26e7afb4c7e4331c88448
SHA16be665d2139f14759a025543b83c4c0cbff70687
SHA256492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303
SHA5124d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753
-
memory/416-9-0x0000000000000000-mapping.dmp
-
memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmpFilesize
36KB
-
memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmpFilesize
20KB
-
memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/928-17-0x0000000000000000-mapping.dmp
-
memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmpFilesize
220KB
-
memory/928-34-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmpFilesize
216KB
-
memory/928-29-0x0000000000350000-0x0000000000393000-memory.dmpFilesize
268KB
-
memory/928-31-0x00000000001F1000-0x00000000001F3000-memory.dmpFilesize
8KB
-
memory/928-30-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmpFilesize
228KB
-
memory/1432-27-0x0000000000000000-mapping.dmp
-
memory/1432-32-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1432-33-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1724-2-0x000000002FFF1000-0x000000002FFF4000-memory.dmpFilesize
12KB
-
memory/1724-3-0x0000000071C61000-0x0000000071C63000-memory.dmpFilesize
8KB
-
memory/1724-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1788-6-0x0000000000000000-mapping.dmp
-
memory/1788-7-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/2024-5-0x000007FEF7D90000-0x000007FEF800A000-memory.dmpFilesize
2.5MB