Analysis
-
max time kernel
286s -
max time network
340s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-07-2021 14:15
Static task
static1
Behavioral task
behavioral1
Sample
details.07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
details.07.21.doc
Resource
win10v20210410
General
-
Target
details.07.21.doc
-
Size
87KB
-
MD5
7bffd29ad113d483f6d761e669e6bcf3
-
SHA1
7ab23606fcd7ebb6e8b6b114c2364fe13cf69c99
-
SHA256
93e1baebf82c1625c485ed10d8ecc12624ef48765132e6c9ddb1ae0557e61585
-
SHA512
2a7461404023519b1d412f2b18f320c7f107374662b0f3be9cf312c70250825ebb58fab1173b0249c35cfc327d1d18801d4b6b2f2b82541c96622b2c3ee2dcb4
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 336 2040 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 800 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1392 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 icanhazip.com -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1068 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE 2040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exeregsvr32.exedescription pid process target process PID 2040 wrote to memory of 336 2040 WINWORD.EXE cmd.exe PID 2040 wrote to memory of 336 2040 WINWORD.EXE cmd.exe PID 2040 wrote to memory of 336 2040 WINWORD.EXE cmd.exe PID 2040 wrote to memory of 336 2040 WINWORD.EXE cmd.exe PID 336 wrote to memory of 800 336 cmd.exe mshta.exe PID 336 wrote to memory of 800 336 cmd.exe mshta.exe PID 336 wrote to memory of 800 336 cmd.exe mshta.exe PID 336 wrote to memory of 800 336 cmd.exe mshta.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 800 wrote to memory of 1392 800 mshta.exe regsvr32.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 1392 wrote to memory of 1068 1392 regsvr32.exe wermgr.exe PID 2040 wrote to memory of 1712 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1712 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1712 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1712 2040 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\details.07.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\optFunctionL.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\optFunctionL.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\optFunctionL.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\optFunctionL.htaMD5
7e4c08c67d6976e8fd018030f37b9b85
SHA149ab332d2555d82525c3436380dccaf1c00df6cb
SHA25673e7584e37081c6779565700d662c885d0e708c6ab235b57e7e4a78fad223a83
SHA512e48c65afc331390a8c7c37b2886a555aeb047f556c40c3bee1cd933f7097ce615962ef20730e5c6bdad2b6b591ccad8cc72e3a36e03cd9e69f8de44900bede38
-
\??\c:\users\public\optFunctionL.jpgMD5
c69312ce1e278c8699a98ff0af026aa8
SHA1c0b30f3d610df9d204079be4a9d10a0dfb42d008
SHA2564290a6015acdf219e14973592774e8771bd231e1561f3c400081fb9a8f8d5047
SHA5129dd7478252e763f62e9b3960bde10f691a18008db4cea73dd7efe3ea82e240677fc566b75c61743cc0d9f4bfeaedc4bddeb266a48bff99b611aeee8594d90f15
-
\Users\Public\optFunctionL.jpgMD5
c69312ce1e278c8699a98ff0af026aa8
SHA1c0b30f3d610df9d204079be4a9d10a0dfb42d008
SHA2564290a6015acdf219e14973592774e8771bd231e1561f3c400081fb9a8f8d5047
SHA5129dd7478252e763f62e9b3960bde10f691a18008db4cea73dd7efe3ea82e240677fc566b75c61743cc0d9f4bfeaedc4bddeb266a48bff99b611aeee8594d90f15
-
memory/336-63-0x0000000000000000-mapping.dmp
-
memory/800-66-0x0000000000000000-mapping.dmp
-
memory/1068-84-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1068-83-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1068-82-0x0000000000000000-mapping.dmp
-
memory/1392-71-0x0000000000710000-0x000000000074B000-memory.dmpFilesize
236KB
-
memory/1392-79-0x0000000000AF0000-0x0000000000B33000-memory.dmpFilesize
268KB
-
memory/1392-81-0x0000000000211000-0x0000000000213000-memory.dmpFilesize
8KB
-
memory/1392-74-0x0000000000A50000-0x0000000000A89000-memory.dmpFilesize
228KB
-
memory/1392-76-0x0000000000AB0000-0x0000000000AE7000-memory.dmpFilesize
220KB
-
memory/1392-78-0x00000000001A0000-0x00000000001D8000-memory.dmpFilesize
224KB
-
memory/1392-80-0x0000000000750000-0x0000000000761000-memory.dmpFilesize
68KB
-
memory/1392-67-0x0000000000000000-mapping.dmp
-
memory/1712-85-0x0000000000000000-mapping.dmp
-
memory/1712-86-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/2040-59-0x0000000072291000-0x0000000072294000-memory.dmpFilesize
12KB
-
memory/2040-62-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/2040-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-60-0x000000006FD11000-0x000000006FD13000-memory.dmpFilesize
8KB
-
memory/2040-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB