Overview

overview

10

Static

static

8

legal agre...21.doc

windows7_x64

10

legal agre...21.doc

windows10_x64

10

Analysis

  • max time kernel
    243s
  • max time network
    286s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    28-06-2021 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legal agreement-06.28.2021.doc

  • Size

    50KB

  • MD5

    ffad9afed8f30d780cac0808da1c5d3f

  • SHA1

    b838575fe38390f411e85505607023b6764101a1

  • SHA256

    133eaec108dcdf485a65616e0b26d8ffe1781e795b49bef6021c51679bf92c7a

  • SHA512

    91823ef5ca872eb7dd93b5419de870aaa4e44086b5f0adbb277d2c08d40536146a71378cce8600af82880d5771d6311ce0b9e227795270ac1f83a1c5352b30e0

Score
10/10
trickbotzev1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement-06.28.2021.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\\users\\public\\doubleBorderInt.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\doubleBorderInt.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\doubleBorderInt.jpg
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1708
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1216

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\users\public\doubleBorderInt.hta
      MD5

      a27bc3fd105fca9661e54e0d9b38ebe0

      SHA1

      23dabd40d9a90ead8bfbc1b1b56b7ab712460a7d

      SHA256

      b3be02abef98fd6bde2752217b996cb0ab6ea534be8aadb9440474e1088a90af

      SHA512

      481068bef5774b26198b3799cfc2f4b0b6d763353ad118e7eb59584b190dfda75bca619f9a38ba611e311b2e4589cd78215f8044c24b756b459e337b6fc4b4ba

      Download Submit
    • \??\c:\users\public\doubleBorderInt.jpg
      MD5

      8bcaea11e4265287a146708fa0925e11

      SHA1

      5554f90ccce7ac7c8de9126c18034338513b0846

      SHA256

      8fcbd8dd417d45cad78178750fec2268b3ae6aae54005014bbf4173771925ff0

      SHA512

      ee79e28488708ef6945741d301e94e5ade1648b6d4172011f07e30919da726724189cf54d728707cd29f56d03877ed71672dd6cfc25095b487787bdb45378075

      Download Submit
    • \Users\Public\doubleBorderInt.jpg
      MD5

      8bcaea11e4265287a146708fa0925e11

      SHA1

      5554f90ccce7ac7c8de9126c18034338513b0846

      SHA256

      8fcbd8dd417d45cad78178750fec2268b3ae6aae54005014bbf4173771925ff0

      SHA512

      ee79e28488708ef6945741d301e94e5ade1648b6d4172011f07e30919da726724189cf54d728707cd29f56d03877ed71672dd6cfc25095b487787bdb45378075

      Download Submit
    • memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/452-60-0x0000000072881000-0x0000000072884000-memory.dmp
      Filesize

      12KB

      Download
    • memory/452-61-0x0000000070301000-0x0000000070303000-memory.dmp
      Filesize

      8KB

      Download
    • memory/452-81-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1148-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1216-68-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1216-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-79-0x0000000000390000-0x0000000000391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1708-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-78-0x0000000000060000-0x0000000000088000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1740-73-0x0000000010000000-0x0000000010037000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1740-76-0x00000000001D1000-0x00000000001D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1740-75-0x00000000001E0000-0x00000000001F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1740-74-0x0000000000170000-0x00000000001B3000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1740-80-0x0000000010000000-0x0000000010003000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1740-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1844-64-0x00000000753E1000-0x00000000753E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1844-63-0x0000000000000000-mapping.dmp
      Download