Overview

overview

10

Static

static

details.07.21.doc

windows7_x64

10

details.07.21.doc

windows10_x64

10

Analysis

  • max time kernel
    286s
  • max time network
    340s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    16-07-2021 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    details.07.21.doc

  • Size

    87KB

  • MD5

    7bffd29ad113d483f6d761e669e6bcf3

  • SHA1

    7ab23606fcd7ebb6e8b6b114c2364fe13cf69c99

  • SHA256

    93e1baebf82c1625c485ed10d8ecc12624ef48765132e6c9ddb1ae0557e61585

  • SHA512

    2a7461404023519b1d412f2b18f320c7f107374662b0f3be9cf312c70250825ebb58fab1173b0249c35cfc327d1d18801d4b6b2f2b82541c96622b2c3ee2dcb4

Score
10/10
trickbotzev1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\details.07.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\programdata\optFunctionL.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\optFunctionL.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\optFunctionL.jpg
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1068
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1712

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\optFunctionL.hta
      MD5

      7e4c08c67d6976e8fd018030f37b9b85

      SHA1

      49ab332d2555d82525c3436380dccaf1c00df6cb

      SHA256

      73e7584e37081c6779565700d662c885d0e708c6ab235b57e7e4a78fad223a83

      SHA512

      e48c65afc331390a8c7c37b2886a555aeb047f556c40c3bee1cd933f7097ce615962ef20730e5c6bdad2b6b591ccad8cc72e3a36e03cd9e69f8de44900bede38

      Download Submit
    • \??\c:\users\public\optFunctionL.jpg
      MD5

      c69312ce1e278c8699a98ff0af026aa8

      SHA1

      c0b30f3d610df9d204079be4a9d10a0dfb42d008

      SHA256

      4290a6015acdf219e14973592774e8771bd231e1561f3c400081fb9a8f8d5047

      SHA512

      9dd7478252e763f62e9b3960bde10f691a18008db4cea73dd7efe3ea82e240677fc566b75c61743cc0d9f4bfeaedc4bddeb266a48bff99b611aeee8594d90f15

      Download Submit
    • \Users\Public\optFunctionL.jpg
      MD5

      c69312ce1e278c8699a98ff0af026aa8

      SHA1

      c0b30f3d610df9d204079be4a9d10a0dfb42d008

      SHA256

      4290a6015acdf219e14973592774e8771bd231e1561f3c400081fb9a8f8d5047

      SHA512

      9dd7478252e763f62e9b3960bde10f691a18008db4cea73dd7efe3ea82e240677fc566b75c61743cc0d9f4bfeaedc4bddeb266a48bff99b611aeee8594d90f15

      Download Submit
    • memory/336-63-0x0000000000000000-mapping.dmp
      Download
    • memory/800-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1068-84-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1068-83-0x0000000000060000-0x0000000000088000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1068-82-0x0000000000000000-mapping.dmp
      Download
    • memory/1392-71-0x0000000000710000-0x000000000074B000-memory.dmp
      Filesize

      236KB

      Download
    • memory/1392-79-0x0000000000AF0000-0x0000000000B33000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1392-81-0x0000000000211000-0x0000000000213000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-74-0x0000000000A50000-0x0000000000A89000-memory.dmp
      Filesize

      228KB

      Download
    • memory/1392-76-0x0000000000AB0000-0x0000000000AE7000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1392-78-0x00000000001A0000-0x00000000001D8000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1392-80-0x0000000000750000-0x0000000000761000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1392-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-86-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-59-0x0000000072291000-0x0000000072294000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2040-62-0x0000000075D41000-0x0000000075D43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2040-60-0x000000006FD11000-0x000000006FD13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-87-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download