Resubmissions
18-03-2021 05:00
210318-qavf9s8tea 10Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-03-2021 05:00
Behavioral task
behavioral1
Sample
Form_1004276.xlsb
Resource
win7v20201028
General
-
Target
Form_1004276.xlsb
-
Size
277KB
-
MD5
830ee920796185f6ef36dc8962ce8cb8
-
SHA1
89ee9b135716f6aca200d268bf270d28e29d21d7
-
SHA256
bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58
-
SHA512
a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde
Malware Config
Extracted
trickbot
100013
rev3
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
-
autorunName:pwgrab
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1536 3636 certutil.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4048 3636 rundll32.exe EXCEL.EXE -
Nloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2744-13-0x00000000029E0000-0x00000000029E9000-memory.dmp nloader behavioral2/memory/2744-14-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral2/memory/2744-15-0x00000000045B0000-0x00000000045B5000-memory.dmp nloader behavioral2/memory/2744-16-0x00000000009B0000-0x00000000009B6000-memory.dmp nloader -
Templ.dll packer 3 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/2084-21-0x0000000002B70000-0x0000000002BA9000-memory.dmp templ_dll behavioral2/memory/2084-22-0x0000000004250000-0x0000000004287000-memory.dmp templ_dll behavioral2/memory/2084-24-0x0000000000840000-0x0000000000876000-memory.dmp templ_dll -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 28 2744 rundll32.exe 29 2744 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2744 rundll32.exe 2084 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 wtfismyip.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3636 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3484 wermgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE 3636 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 3636 wrote to memory of 1536 3636 EXCEL.EXE certutil.exe PID 3636 wrote to memory of 1536 3636 EXCEL.EXE certutil.exe PID 3636 wrote to memory of 4048 3636 EXCEL.EXE rundll32.exe PID 3636 wrote to memory of 4048 3636 EXCEL.EXE rundll32.exe PID 4048 wrote to memory of 2744 4048 rundll32.exe rundll32.exe PID 4048 wrote to memory of 2744 4048 rundll32.exe rundll32.exe PID 4048 wrote to memory of 2744 4048 rundll32.exe rundll32.exe PID 2744 wrote to memory of 2084 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 2084 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 2084 2744 rundll32.exe rundll32.exe PID 2084 wrote to memory of 1844 2084 rundll32.exe cmd.exe PID 2084 wrote to memory of 1844 2084 rundll32.exe cmd.exe PID 2084 wrote to memory of 1844 2084 rundll32.exe cmd.exe PID 2084 wrote to memory of 3484 2084 rundll32.exe wermgr.exe PID 2084 wrote to memory of 3484 2084 rundll32.exe wermgr.exe PID 2084 wrote to memory of 3484 2084 rundll32.exe wermgr.exe PID 2084 wrote to memory of 3484 2084 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Form_1004276.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi.png C:\Users\Public\jahi.pn2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\ProgramData\kgff\kgff.dll,DllRegisterServer14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ffMD5
c7f1fa75560c9d45c90deb4986679750
SHA1223e5bf5a05a04dd0b3379bd92a9ee66756eaf5d
SHA2564a68d3915aca7a6d3967e265caa230a83c08762a298e117d0d0e81be2ae68f22
SHA512807d8aa1a621f55253887a7147040843aac1d57bfb77f58877e9d4ebc688dcf4f6267f374c5d262392d6f0a9cf206d1488ef58e2ef646eaad21b252fde3a080c
-
C:\Users\Public\jahi.pnMD5
8539346052a26e7afb4c7e4331c88448
SHA16be665d2139f14759a025543b83c4c0cbff70687
SHA256492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303
SHA5124d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753
-
C:\Users\Public\jahi.pngMD5
7be842ccd981433524987be60ba7b1ef
SHA15b381967f9e9d9851aea1e8e3415a0c8f16de860
SHA256b52c8cd5955ac0de222514ef85cfc25e7027c1a069f771510bac8620e4438892
SHA512372b9612a563bfd9d65b58a4c9a2973d66f9a654e6b8d275a4c83906defd6d3b5d33174288ea77a5f82b719cd26244c95bab5d38ca071e57536a474447a5861b
-
\ProgramData\kgff\kgff.dllMD5
5bab87140fed67a1a1d4480753e68e46
SHA148a0c09f3659ed2ea2194eb03bbc79feab2b9c06
SHA256b617b7dca180cf678066da3eff7c09d9f8d79a10b71a81cc8b8935cc978ec7c6
SHA512451615cbaa220e72a94b6c7bce82add0e693e4dfe55cb95c25708ae802c059e40bb43442c5bbd357c64010ecbcba3e375af0cd5cac143b9f634326ad32246112
-
\Users\Public\jahi.pnMD5
8539346052a26e7afb4c7e4331c88448
SHA16be665d2139f14759a025543b83c4c0cbff70687
SHA256492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303
SHA5124d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753
-
memory/1536-7-0x0000000000000000-mapping.dmp
-
memory/2084-24-0x0000000000840000-0x0000000000876000-memory.dmpFilesize
216KB
-
memory/2084-22-0x0000000004250000-0x0000000004287000-memory.dmpFilesize
220KB
-
memory/2084-26-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB
-
memory/2084-17-0x0000000000000000-mapping.dmp
-
memory/2084-25-0x00000000043A0000-0x00000000043E3000-memory.dmpFilesize
268KB
-
memory/2084-27-0x0000000004291000-0x0000000004293000-memory.dmpFilesize
8KB
-
memory/2084-30-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/2084-21-0x0000000002B70000-0x0000000002BA9000-memory.dmpFilesize
228KB
-
memory/2744-11-0x0000000000000000-mapping.dmp
-
memory/2744-13-0x00000000029E0000-0x00000000029E9000-memory.dmpFilesize
36KB
-
memory/2744-14-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/2744-15-0x00000000045B0000-0x00000000045B5000-memory.dmpFilesize
20KB
-
memory/2744-16-0x00000000009B0000-0x00000000009B6000-memory.dmpFilesize
24KB
-
memory/3484-23-0x0000000000000000-mapping.dmp
-
memory/3484-28-0x000001D9A82D0000-0x000001D9A82F8000-memory.dmpFilesize
160KB
-
memory/3484-29-0x000001D9A83E0000-0x000001D9A83E1000-memory.dmpFilesize
4KB
-
memory/3636-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3636-6-0x00007FF8E9150000-0x00007FF8E9787000-memory.dmpFilesize
6.2MB
-
memory/3636-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3636-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3636-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/4048-9-0x0000000000000000-mapping.dmp