Overview

overview

10

Static

static

question_0...21.doc

windows7_x64

1

question_0...21.doc

windows10_x64

10

Analysis

  • max time kernel
    290s
  • max time network
    300s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-07-2021 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    question_07.08.2021.doc

  • Size

    55KB

  • MD5

    e5e32451730716ed5b0bf3f4d797a262

  • SHA1

    17f6668019bc20bfab048d6167ee0efb75db2984

  • SHA256

    25078d9e4b0f4b5aedc10cb63e943089c57154da08b1e8684c9b3eef54774b70

  • SHA512

    11c42bbd3153312a489a63e1dd53fcd0f67430976dda7fc64ce69c161fae680911475e379bbbb444b44d591ddb8f82e66f5dd7cb8fa7a03b07cda3f161cccf4b

Score
10/10
trickbotzev1bankerspywarestealertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question_07.08.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Windows\SYSTEM32\scriptrunner.exe
      scriptrunner.exe -appvscript c:\programdata\memRequest.wsf
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\programdata\memRequest.wsf"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\\users\\public\\memRequest.jpg
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\regsvr32.exe
            c:\\users\\public\\memRequest.jpg
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Windows\system32\wermgr.exe
              C:\Windows\system32\wermgr.exe
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2344
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:856
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:3884
                • C:\Windows\system32\ipconfig.exe
                  ipconfig /all
                  8⤵
                  • Gathers network information
                  PID:2228
                • C:\Windows\system32\net.exe
                  net config workstation
                  8⤵
                    PID:1300
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 config workstation
                      9⤵
                        PID:3468
                    • C:\Windows\system32\net.exe
                      net view /all
                      8⤵
                      • Discovers systems in the same network
                      PID:2648
                    • C:\Windows\system32\net.exe
                      net view /all /domain
                      8⤵
                      • Discovers systems in the same network
                      PID:2836
                    • C:\Windows\system32\nltest.exe
                      nltest /domain_trusts
                      8⤵
                        PID:2304
                      • C:\Windows\system32\nltest.exe
                        nltest /domain_trusts /all_trusts
                        8⤵
                          PID:992

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Command-Line Interface

          1
          T1059

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          System Information Discovery

          4
          T1082

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\programdata\memRequest.wsf
            MD5

            8f0adb8f4ff8ff93d17cab7fb1fef199

            SHA1

            e5a5a2e841a8f53cd0bacfb29e7ceb79462bcd30

            SHA256

            9014323d283ed73e9a88a3a2c101487c14ff86d796b310a507f4729901db0031

            SHA512

            7e02351cfc4d48a0efae18823b82ded6d77664c0664eb72f98950829d4138f4fb84a40986bc6038730b21df8c205ff2d4775dd8961c2d2ddafc87ee68cc1a64b

            Download Submit
          • \??\c:\users\public\memRequest.jpg
            MD5

            4ddb9bf2c122c2d1d10c08d33636dccd

            SHA1

            921c4c891bc526f6548dcb0cf818751b620f2cc6

            SHA256

            2f441265ad5fd12b84d79f46e46dd14a78e7bba11d290ff58c7e5bf8e9dab17a

            SHA512

            d67e55748e1720ed656e4ba80abe6bf4aaf2b9427d16e86440b8a49d8d28e2d13ce6c770ff5e00cb993d93d155c3d37cf171201420022ca92a21c06294199e96

            Download Submit
          • \Users\Public\memRequest.jpg
            MD5

            4ddb9bf2c122c2d1d10c08d33636dccd

            SHA1

            921c4c891bc526f6548dcb0cf818751b620f2cc6

            SHA256

            2f441265ad5fd12b84d79f46e46dd14a78e7bba11d290ff58c7e5bf8e9dab17a

            SHA512

            d67e55748e1720ed656e4ba80abe6bf4aaf2b9427d16e86440b8a49d8d28e2d13ce6c770ff5e00cb993d93d155c3d37cf171201420022ca92a21c06294199e96

            Download Submit
          • memory/856-195-0x0000000000000000-mapping.dmp
            Download
          • memory/992-117-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/992-118-0x00007FFED49C0000-0x00007FFED74E3000-memory.dmp
            Filesize

            43.1MB

            Download
          • memory/992-122-0x00007FFED0020000-0x00007FFED110E000-memory.dmp
            Filesize

            16.9MB

            Download
          • memory/992-123-0x00007FFECD690000-0x00007FFECF585000-memory.dmp
            Filesize

            31.0MB

            Download
          • memory/992-205-0x0000000000000000-mapping.dmp
            Download
          • memory/992-119-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/992-114-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/992-116-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/992-115-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1300-200-0x0000000000000000-mapping.dmp
            Download
          • memory/1684-181-0x0000000000000000-mapping.dmp
            Download
          • memory/1996-188-0x0000000004420000-0x0000000004421000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1996-189-0x0000000004401000-0x0000000004403000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1996-187-0x0000000004290000-0x00000000042D3000-memory.dmp
            Filesize

            268KB

            Download
          • memory/1996-186-0x0000000000B50000-0x0000000000B88000-memory.dmp
            Filesize

            224KB

            Download
          • memory/1996-184-0x0000000000000000-mapping.dmp
            Download
          • memory/2112-191-0x0000022394930000-0x0000022394958000-memory.dmp
            Filesize

            160KB

            Download
          • memory/2112-192-0x0000022394A40000-0x0000022394A41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2112-190-0x0000000000000000-mapping.dmp
            Download
          • memory/2164-182-0x0000000000000000-mapping.dmp
            Download
          • memory/2228-199-0x0000000000000000-mapping.dmp
            Download
          • memory/2304-204-0x0000000000000000-mapping.dmp
            Download
          • memory/2344-193-0x0000000000000000-mapping.dmp
            Download
          • memory/2344-194-0x0000024493DD0000-0x0000024493DD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2648-202-0x0000000000000000-mapping.dmp
            Download
          • memory/2836-203-0x0000000000000000-mapping.dmp
            Download
          • memory/3468-201-0x0000000000000000-mapping.dmp
            Download
          • memory/3884-197-0x0000000000000000-mapping.dmp
            Download
          • memory/3996-179-0x0000000000000000-mapping.dmp
            Download