Analysis
-
max time kernel
290s -
max time network
300s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-07-2021 17:14
Static task
static1
Behavioral task
behavioral1
Sample
question_07.08.2021.doc
Resource
win7v20210410
General
-
Target
question_07.08.2021.doc
-
Size
55KB
-
MD5
e5e32451730716ed5b0bf3f4d797a262
-
SHA1
17f6668019bc20bfab048d6167ee0efb75db2984
-
SHA256
25078d9e4b0f4b5aedc10cb63e943089c57154da08b1e8684c9b3eef54774b70
-
SHA512
11c42bbd3153312a489a63e1dd53fcd0f67430976dda7fc64ce69c161fae680911475e379bbbb444b44d591ddb8f82e66f5dd7cb8fa7a03b07cda3f161cccf4b
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
scriptrunner.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3996 992 scriptrunner.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
WScript.execmd.execmd.exeflow pid process 16 1684 WScript.exe 50 2344 cmd.exe 51 2344 cmd.exe 52 2344 cmd.exe 56 3884 cmd.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1996 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2228 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
scriptrunner.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings scriptrunner.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 992 WINWORD.EXE 992 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
cmd.execmd.execmd.exepid process 2344 cmd.exe 2344 cmd.exe 856 cmd.exe 856 cmd.exe 3884 cmd.exe 856 cmd.exe 3884 cmd.exe 856 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.execmd.execmd.exedescription pid process Token: SeDebugPrivilege 2112 wermgr.exe Token: SeDebugPrivilege 2344 cmd.exe Token: SeDebugPrivilege 856 cmd.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEscriptrunner.exeWScript.exeregsvr32.exeregsvr32.exewermgr.exedescription pid process target process PID 992 wrote to memory of 3996 992 WINWORD.EXE scriptrunner.exe PID 992 wrote to memory of 3996 992 WINWORD.EXE scriptrunner.exe PID 3996 wrote to memory of 1684 3996 scriptrunner.exe WScript.exe PID 3996 wrote to memory of 1684 3996 scriptrunner.exe WScript.exe PID 1684 wrote to memory of 2164 1684 WScript.exe regsvr32.exe PID 1684 wrote to memory of 2164 1684 WScript.exe regsvr32.exe PID 2164 wrote to memory of 1996 2164 regsvr32.exe regsvr32.exe PID 2164 wrote to memory of 1996 2164 regsvr32.exe regsvr32.exe PID 2164 wrote to memory of 1996 2164 regsvr32.exe regsvr32.exe PID 1996 wrote to memory of 2112 1996 regsvr32.exe wermgr.exe PID 1996 wrote to memory of 2112 1996 regsvr32.exe wermgr.exe PID 1996 wrote to memory of 2112 1996 regsvr32.exe wermgr.exe PID 1996 wrote to memory of 2112 1996 regsvr32.exe wermgr.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe PID 2112 wrote to memory of 2344 2112 wermgr.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question_07.08.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\scriptrunner.exescriptrunner.exe -appvscript c:\programdata\memRequest.wsf2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\memRequest.wsf"3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\\users\\public\\memRequest.jpg4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\\users\\public\\memRequest.jpg5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ipconfig.exeipconfig /all8⤵
- Gathers network information
-
C:\Windows\system32\net.exenet config workstation8⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation9⤵
-
C:\Windows\system32\net.exenet view /all8⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all /domain8⤵
- Discovers systems in the same network
-
C:\Windows\system32\nltest.exenltest /domain_trusts8⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\memRequest.wsfMD5
8f0adb8f4ff8ff93d17cab7fb1fef199
SHA1e5a5a2e841a8f53cd0bacfb29e7ceb79462bcd30
SHA2569014323d283ed73e9a88a3a2c101487c14ff86d796b310a507f4729901db0031
SHA5127e02351cfc4d48a0efae18823b82ded6d77664c0664eb72f98950829d4138f4fb84a40986bc6038730b21df8c205ff2d4775dd8961c2d2ddafc87ee68cc1a64b
-
\??\c:\users\public\memRequest.jpgMD5
4ddb9bf2c122c2d1d10c08d33636dccd
SHA1921c4c891bc526f6548dcb0cf818751b620f2cc6
SHA2562f441265ad5fd12b84d79f46e46dd14a78e7bba11d290ff58c7e5bf8e9dab17a
SHA512d67e55748e1720ed656e4ba80abe6bf4aaf2b9427d16e86440b8a49d8d28e2d13ce6c770ff5e00cb993d93d155c3d37cf171201420022ca92a21c06294199e96
-
\Users\Public\memRequest.jpgMD5
4ddb9bf2c122c2d1d10c08d33636dccd
SHA1921c4c891bc526f6548dcb0cf818751b620f2cc6
SHA2562f441265ad5fd12b84d79f46e46dd14a78e7bba11d290ff58c7e5bf8e9dab17a
SHA512d67e55748e1720ed656e4ba80abe6bf4aaf2b9427d16e86440b8a49d8d28e2d13ce6c770ff5e00cb993d93d155c3d37cf171201420022ca92a21c06294199e96
-
memory/856-195-0x0000000000000000-mapping.dmp
-
memory/992-117-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/992-118-0x00007FFED49C0000-0x00007FFED74E3000-memory.dmpFilesize
43.1MB
-
memory/992-122-0x00007FFED0020000-0x00007FFED110E000-memory.dmpFilesize
16.9MB
-
memory/992-123-0x00007FFECD690000-0x00007FFECF585000-memory.dmpFilesize
31.0MB
-
memory/992-205-0x0000000000000000-mapping.dmp
-
memory/992-119-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/992-114-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/992-116-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/992-115-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/1300-200-0x0000000000000000-mapping.dmp
-
memory/1684-181-0x0000000000000000-mapping.dmp
-
memory/1996-188-0x0000000004420000-0x0000000004421000-memory.dmpFilesize
4KB
-
memory/1996-189-0x0000000004401000-0x0000000004403000-memory.dmpFilesize
8KB
-
memory/1996-187-0x0000000004290000-0x00000000042D3000-memory.dmpFilesize
268KB
-
memory/1996-186-0x0000000000B50000-0x0000000000B88000-memory.dmpFilesize
224KB
-
memory/1996-184-0x0000000000000000-mapping.dmp
-
memory/2112-191-0x0000022394930000-0x0000022394958000-memory.dmpFilesize
160KB
-
memory/2112-192-0x0000022394A40000-0x0000022394A41000-memory.dmpFilesize
4KB
-
memory/2112-190-0x0000000000000000-mapping.dmp
-
memory/2164-182-0x0000000000000000-mapping.dmp
-
memory/2228-199-0x0000000000000000-mapping.dmp
-
memory/2304-204-0x0000000000000000-mapping.dmp
-
memory/2344-193-0x0000000000000000-mapping.dmp
-
memory/2344-194-0x0000024493DD0000-0x0000024493DD1000-memory.dmpFilesize
4KB
-
memory/2648-202-0x0000000000000000-mapping.dmp
-
memory/2836-203-0x0000000000000000-mapping.dmp
-
memory/3468-201-0x0000000000000000-mapping.dmp
-
memory/3884-197-0x0000000000000000-mapping.dmp
-
memory/3996-179-0x0000000000000000-mapping.dmp