nloader | bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

Resubmissions

18-03-2021 05:00

210318-qavf9s8tea 10

Analysis

max time kernel
69s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
18-03-2021 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Form_1004276.xlsb
Size

277KB
MD5

830ee920796185f6ef36dc8962ce8cb8
SHA1

89ee9b135716f6aca200d268bf270d28e29d21d7
SHA256

bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58
SHA512

a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Score

10^/10

nloader trickbot rev3 banker loader trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

trickbot

Version

100013

Botnet

rev3

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1788	1724	certutil.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	416	1724	rundll32.exe	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral1/memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmp	nloader
behavioral1/memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmp	nloader
behavioral1/memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmp	nloader

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral1/memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmp	templ_dll
behavioral1/memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmp	templ_dll
behavioral1/memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmp	templ_dll

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 416 rundll32.exe
4 416 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exe

pid process

416 rundll32.exe
928 rundll32.exe
928 rundll32.exe
928 rundll32.exe
928 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	416	rundll32.exe
4	416	rundll32.exe

pid	process
416	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1724 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1432 wermgr.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1724 EXCEL.EXE
1724 EXCEL.EXE
1724 EXCEL.EXE

pid	process
1724	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1432	wermgr.exe

pid	process
1724	EXCEL.EXE
1724	EXCEL.EXE
1724	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	certutil.exe
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	certutil.exe
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	certutil.exe
PID 1724 wrote to memory of 1788	1724	EXCEL.EXE	certutil.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 1724 wrote to memory of 416	1724	EXCEL.EXE	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 928	416	rundll32.exe	rundll32.exe
PID 928 wrote to memory of 1804	928	rundll32.exe	cmd.exe
PID 928 wrote to memory of 1804	928	rundll32.exe	cmd.exe
PID 928 wrote to memory of 1804	928	rundll32.exe	cmd.exe
PID 928 wrote to memory of 1804	928	rundll32.exe	cmd.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 1432	928	rundll32.exe	wermgr.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Form_1004276.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi.png C:\Users\Public\jahi.pn
2⤵
- Process spawned unexpected child process
PID:1788

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\rundll32.exe
C:\ProgramData\kgff\kgff.dll,DllRegisterServer1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:1804

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kgff\kgff.dll
MD5
5bab87140fed67a1a1d4480753e68e46

SHA1
48a0c09f3659ed2ea2194eb03bbc79feab2b9c06

SHA256
b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6

SHA512
451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb
MD5
d7944279eeaa77dd3d90638823c1010b

SHA1
0e49b20e54ec71a87fbbb47d95efeb037f2859ee

SHA256
8a74ae6a59b4d68419e0ae22fb34aec277666a06c17341f98055b9eb559cdeb6

SHA512
79e64b33b2f2643d11b2125d672055afba65d53057aae82a75fbacf79455a86873b6fa463a3a21c95c5e8c89edc1a0bb4afb43d32cb9349da09947f352cd3c4f

Download Submit
C:\Users\Public\jahi.pn
MD5
8539346052a26e7afb4c7e4331c88448

SHA1
6be665d2139f14759a025543b83c4c0cbff70687

SHA256
492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303

SHA512
4d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753

Download Submit
C:\Users\Public\jahi.png
MD5
7be842ccd981433524987be60ba7b1ef

SHA1
5b381967f9e9d9851aea1e8e3415a0c8f16de860

SHA256
b52c8cd5955ac0de222514ef85cfc25e7027c1a069f771510bac8620e4438892

SHA512
372b9612a563bfd9d65b58a4c9a2973d66f9a654e6b8d275a4c83906defd6d3b5d33174288ea77a5f82b719cd26244c95bab5d38ca071e57536a474447a5861b

Download Submit
\ProgramData\kgff\kgff.dll
MD5
5bab87140fed67a1a1d4480753e68e46

SHA1
48a0c09f3659ed2ea2194eb03bbc79feab2b9c06

SHA256
b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6

SHA512
451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112

Download Submit
\ProgramData\kgff\kgff.dll
MD5
5bab87140fed67a1a1d4480753e68e46

SHA1
48a0c09f3659ed2ea2194eb03bbc79feab2b9c06

SHA256
b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6

SHA512
451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112

Download Submit
\ProgramData\kgff\kgff.dll
MD5
5bab87140fed67a1a1d4480753e68e46

SHA1
48a0c09f3659ed2ea2194eb03bbc79feab2b9c06

SHA256
b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6

SHA512
451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112

Download Submit
\ProgramData\kgff\kgff.dll
MD5
5bab87140fed67a1a1d4480753e68e46

SHA1
48a0c09f3659ed2ea2194eb03bbc79feab2b9c06

SHA256
b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6

SHA512
451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112

Download Submit
\Users\Public\jahi.pn
MD5
8539346052a26e7afb4c7e4331c88448

SHA1
6be665d2139f14759a025543b83c4c0cbff70687

SHA256
492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303

SHA512
4d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753

Download Submit
memory/416-9-0x0000000000000000-mapping.dmp

Download
memory/416-14-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/416-13-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/416-15-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/416-16-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/928-17-0x0000000000000000-mapping.dmp

Download
memory/928-26-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/928-34-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/928-28-0x00000000001A0000-0x00000000001D6000-memory.dmp

Filesize
216KB

Download
memory/928-29-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/928-31-0x00000000001F1000-0x00000000001F3000-memory.dmp

Filesize
8KB

Download
memory/928-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/928-25-0x0000000000240000-0x0000000000279000-memory.dmp

Filesize
228KB

Download
memory/1432-27-0x0000000000000000-mapping.dmp

Download
memory/1432-32-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1432-33-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1724-2-0x000000002FFF1000-0x000000002FFF4000-memory.dmp

Filesize
12KB

Download
memory/1724-3-0x0000000071C61000-0x0000000071C63000-memory.dmp

Filesize
8KB

Download
memory/1724-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1788-6-0x0000000000000000-mapping.dmp

Download
memory/1788-7-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2024-5-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

Filesize
2.5MB

Download