Analysis
-
max time kernel
243s -
max time network
286s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-06-2021 13:45
Static task
static1
Behavioral task
behavioral1
Sample
legal agreement-06.28.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
legal agreement-06.28.2021.doc
Resource
win10v20210408
General
-
Target
legal agreement-06.28.2021.doc
-
Size
50KB
-
MD5
ffad9afed8f30d780cac0808da1c5d3f
-
SHA1
b838575fe38390f411e85505607023b6764101a1
-
SHA256
133eaec108dcdf485a65616e0b26d8ffe1781e795b49bef6021c51679bf92c7a
-
SHA512
91823ef5ca872eb7dd93b5419de870aaa4e44086b5f0adbb277d2c08d40536146a71378cce8600af82880d5771d6311ce0b9e227795270ac1f83a1c5352b30e0
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1844 452 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 1148 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1740 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 myexternalip.com -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 452 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1708 wermgr.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exeregsvr32.exedescription pid process target process PID 452 wrote to memory of 1844 452 WINWORD.EXE cmd.exe PID 452 wrote to memory of 1844 452 WINWORD.EXE cmd.exe PID 452 wrote to memory of 1844 452 WINWORD.EXE cmd.exe PID 452 wrote to memory of 1844 452 WINWORD.EXE cmd.exe PID 1844 wrote to memory of 1148 1844 cmd.exe mshta.exe PID 1844 wrote to memory of 1148 1844 cmd.exe mshta.exe PID 1844 wrote to memory of 1148 1844 cmd.exe mshta.exe PID 1844 wrote to memory of 1148 1844 cmd.exe mshta.exe PID 452 wrote to memory of 1216 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1216 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1216 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1216 452 WINWORD.EXE splwow64.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1148 wrote to memory of 1740 1148 mshta.exe regsvr32.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe PID 1740 wrote to memory of 1708 1740 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement-06.28.2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\\users\\public\\doubleBorderInt.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\doubleBorderInt.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\doubleBorderInt.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\doubleBorderInt.htaMD5
a27bc3fd105fca9661e54e0d9b38ebe0
SHA123dabd40d9a90ead8bfbc1b1b56b7ab712460a7d
SHA256b3be02abef98fd6bde2752217b996cb0ab6ea534be8aadb9440474e1088a90af
SHA512481068bef5774b26198b3799cfc2f4b0b6d763353ad118e7eb59584b190dfda75bca619f9a38ba611e311b2e4589cd78215f8044c24b756b459e337b6fc4b4ba
-
\??\c:\users\public\doubleBorderInt.jpgMD5
8bcaea11e4265287a146708fa0925e11
SHA15554f90ccce7ac7c8de9126c18034338513b0846
SHA2568fcbd8dd417d45cad78178750fec2268b3ae6aae54005014bbf4173771925ff0
SHA512ee79e28488708ef6945741d301e94e5ade1648b6d4172011f07e30919da726724189cf54d728707cd29f56d03877ed71672dd6cfc25095b487787bdb45378075
-
\Users\Public\doubleBorderInt.jpgMD5
8bcaea11e4265287a146708fa0925e11
SHA15554f90ccce7ac7c8de9126c18034338513b0846
SHA2568fcbd8dd417d45cad78178750fec2268b3ae6aae54005014bbf4173771925ff0
SHA512ee79e28488708ef6945741d301e94e5ade1648b6d4172011f07e30919da726724189cf54d728707cd29f56d03877ed71672dd6cfc25095b487787bdb45378075
-
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/452-60-0x0000000072881000-0x0000000072884000-memory.dmpFilesize
12KB
-
memory/452-61-0x0000000070301000-0x0000000070303000-memory.dmpFilesize
8KB
-
memory/452-81-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1148-66-0x0000000000000000-mapping.dmp
-
memory/1216-68-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmpFilesize
8KB
-
memory/1216-67-0x0000000000000000-mapping.dmp
-
memory/1708-79-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1708-77-0x0000000000000000-mapping.dmp
-
memory/1708-78-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1740-73-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/1740-76-0x00000000001D1000-0x00000000001D3000-memory.dmpFilesize
8KB
-
memory/1740-75-0x00000000001E0000-0x00000000001F1000-memory.dmpFilesize
68KB
-
memory/1740-74-0x0000000000170000-0x00000000001B3000-memory.dmpFilesize
268KB
-
memory/1740-80-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/1740-69-0x0000000000000000-mapping.dmp
-
memory/1844-64-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1844-63-0x0000000000000000-mapping.dmp