Overview

overview

10

Static

static

adjure.07.15.2021.doc

windows7_x64

10

adjure.07.15.2021.doc

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    16-07-2021 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adjure.07.15.2021.doc

  • Size

    87KB

  • MD5

    a4e5382ad73aa72478e5264bc44c4167

  • SHA1

    9a3641ccc9bef7a17632070a21b9e2fa7af85fad

  • SHA256

    562e2dab4a855410150587c82ab64eac1e2230a0405b3e032c75451c5baf6a8a

  • SHA512

    914b42cd057ae27d1e65dc02f112b2ced21a5ac7ee79f0b096993b1967695e03ab492a78592a7ac5ff8ee7875661fe91f89b754f32fcc6710a94e67a4b029a5a

Score
10/10
trickbotzev1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure.07.15.2021.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\programdata\linkLstLong.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\linkLstLong.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\linkLstLong.jpg
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1984

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\linkLstLong.hta
      MD5

      f929e0be622e960a0a560b181920ae27

      SHA1

      6178f220ef46c6ea2e0d4cc72137d00a85701a9c

      SHA256

      1d856c5f27d080a730cf88dafdf0b94860dd7cd752f87989a4e679eeca98fa43

      SHA512

      fbb84c7817265db19d1c2533540fa6d97005206a4cc7fde0977f5f89d69fc4bea702140baa1cfab3abf8f70b3b245d3806ddd5acd908e06950b3323fa9f718a5

      Download Submit
    • \??\c:\users\public\linkLstLong.jpg
      MD5

      346446b4a209814f7542e706a561ad89

      SHA1

      3e77832af77b84ded9c08212fc2bd9d7022f6c9c

      SHA256

      4f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7

      SHA512

      b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef

      Download Submit
    • \Users\Public\linkLstLong.jpg
      MD5

      346446b4a209814f7542e706a561ad89

      SHA1

      3e77832af77b84ded9c08212fc2bd9d7022f6c9c

      SHA256

      4f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7

      SHA512

      b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef

      Download Submit
    • memory/1092-60-0x00000000700D1000-0x00000000700D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1092-62-0x0000000075AF1000-0x0000000075AF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1092-59-0x0000000072651000-0x0000000072654000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1108-71-0x0000000000820000-0x0000000000857000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1108-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-74-0x00000000007E0000-0x0000000000814000-memory.dmp
      Filesize

      208KB

      Download
    • memory/1108-76-0x00000000008F0000-0x0000000000901000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1108-75-0x0000000000860000-0x00000000008A3000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1108-77-0x0000000000621000-0x0000000000623000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1192-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-80-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-81-0x0000000000060000-0x0000000000088000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1912-82-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1984-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-79-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
      Filesize

      8KB

      Download