Resubmissions

19-08-2021 15:28

210819-qvpqyzvlrs 10

22-07-2021 08:22

210722-68kbddkzna 10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 08:22

General

  • Target

    1.hta

  • Size

    2KB

  • MD5

    c5f48abc68324cd059e74b35c44b64c7

  • SHA1

    e68b086934eb0d4576ac3711062efba4236df436

  • SHA256

    9a3c69a9e5f02c1e3022586c5ffe3e9dca7224f4c5107ce1f758eae62f747576

  • SHA512

    271dedd705ed5a64cda497d0b86cd1509f34911602aac65cbc8a5120ef37efccc2ec8d45538cec29e1bbb5aa5fb5d76aa0a3502e00208e0c4067d4dd9b465d21

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
      • C:\Windows\SysWOW64\mshta.exe
        C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1.hta"
        2⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\simpleAndAnd.jpg
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:660
          • C:\Windows\system32\regsvr32.exe
            c:\users\public\simpleAndAnd.jpg
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:524
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:436
          • C:\Windows\system32\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll" DllRegisterServer
            3⤵
              PID:1196
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll" DllRegisterServer
                4⤵
                • Loads dropped DLL
                PID:1124
                • C:\Windows\system32\wermgr.exe
                  C:\Windows\system32\wermgr.exe
                  5⤵
                    PID:1100
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s "c:\users\public\simpleAndAnd.jpg"
            1⤵
            • Loads dropped DLL
            PID:240

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Defense Evasion

          Modify Registry

          1
          T1112

          Discovery

          System Information Discovery

          1
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            MD5

            2902de11e30dcc620b184e3bb0f0c1cb

            SHA1

            5d11d14a2558801a2688dc2d6dfad39ac294f222

            SHA256

            e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

            SHA512

            efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            0a927dd65ac753dd32e4e999142ede1b

            SHA1

            ad6dfe7da3a206443d035825b1c6c33f0ecf2956

            SHA256

            229ba767be9d71b60463b14f5b23a201a383be2fad885b5d3bfe237c13a85700

            SHA512

            c31efaedcf621d94fed1e0f5f615303acace7df2be3efac852418f6b03445a4a7dd408bf7f407e8388f226a16373bab3429907244fd69ab3d3c057cfce533db1

          • C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll
            MD5

            188080ab83370f99d2a5026f8abd00ea

            SHA1

            bfa8dd3321b3c852104a2a446b59cb44d410bef9

            SHA256

            62f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f

            SHA512

            1532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d

          • \??\c:\users\public\simpleAndAnd.jpg
            MD5

            7050cfe8a95eefadad00ff8e3b0e7013

            SHA1

            24f2a04730eaf05de193c18c16363d1a733178e7

            SHA256

            cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467

            SHA512

            663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700

          • \Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll
            MD5

            188080ab83370f99d2a5026f8abd00ea

            SHA1

            bfa8dd3321b3c852104a2a446b59cb44d410bef9

            SHA256

            62f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f

            SHA512

            1532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d

          • \Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll
            MD5

            188080ab83370f99d2a5026f8abd00ea

            SHA1

            bfa8dd3321b3c852104a2a446b59cb44d410bef9

            SHA256

            62f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f

            SHA512

            1532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d

          • \Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll
            MD5

            188080ab83370f99d2a5026f8abd00ea

            SHA1

            bfa8dd3321b3c852104a2a446b59cb44d410bef9

            SHA256

            62f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f

            SHA512

            1532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d

          • \Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll
            MD5

            188080ab83370f99d2a5026f8abd00ea

            SHA1

            bfa8dd3321b3c852104a2a446b59cb44d410bef9

            SHA256

            62f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f

            SHA512

            1532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d

          • \Users\Public\simpleAndAnd.jpg
            MD5

            7050cfe8a95eefadad00ff8e3b0e7013

            SHA1

            24f2a04730eaf05de193c18c16363d1a733178e7

            SHA256

            cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467

            SHA512

            663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700

          • \Users\Public\simpleAndAnd.jpg
            MD5

            7050cfe8a95eefadad00ff8e3b0e7013

            SHA1

            24f2a04730eaf05de193c18c16363d1a733178e7

            SHA256

            cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467

            SHA512

            663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700

          • \Users\Public\simpleAndAnd.jpg
            MD5

            7050cfe8a95eefadad00ff8e3b0e7013

            SHA1

            24f2a04730eaf05de193c18c16363d1a733178e7

            SHA256

            cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467

            SHA512

            663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700

          • memory/240-74-0x0000000001EA0000-0x0000000001EDE000-memory.dmp
            Filesize

            248KB

          • memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp
            Filesize

            8KB

          • memory/436-69-0x000000013F0F0000-0x000000013F335000-memory.dmp
            Filesize

            2.3MB

          • memory/436-70-0x000000013F3077D8-mapping.dmp
          • memory/436-71-0x000000013F0F0000-0x000000013F335000-memory.dmp
            Filesize

            2.3MB

          • memory/524-65-0x0000000000000000-mapping.dmp
          • memory/524-66-0x000007FEFC661000-0x000007FEFC663000-memory.dmp
            Filesize

            8KB

          • memory/524-68-0x0000000001F10000-0x0000000001F4E000-memory.dmp
            Filesize

            248KB

          • memory/660-61-0x0000000000000000-mapping.dmp
          • memory/1100-89-0x0000000000000000-mapping.dmp
          • memory/1100-90-0x0000000000060000-0x0000000000088000-memory.dmp
            Filesize

            160KB

          • memory/1100-91-0x0000000000110000-0x0000000000111000-memory.dmp
            Filesize

            4KB

          • memory/1124-79-0x0000000000000000-mapping.dmp
          • memory/1124-85-0x0000000000A90000-0x0000000000CED000-memory.dmp
            Filesize

            2.4MB

          • memory/1124-87-0x0000000000190000-0x00000000001A1000-memory.dmp
            Filesize

            68KB

          • memory/1124-86-0x0000000000290000-0x00000000002D3000-memory.dmp
            Filesize

            268KB

          • memory/1124-88-0x0000000010001000-0x0000000010003000-memory.dmp
            Filesize

            8KB

          • memory/1196-77-0x0000000000000000-mapping.dmp