Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 18:38
Static task
static1
Behavioral task
behavioral1
Sample
deed contract,07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
deed contract,07.21.doc
Resource
win10v20210410
General
-
Target
deed contract,07.21.doc
-
Size
74KB
-
MD5
2d0088012b6c1f399e946a8e5b513e36
-
SHA1
25b7290bf78fce2951ee78df721994890b2d8aad
-
SHA256
f6c286e79ec7023e8ff292c6f71ad0ecc8fef8463e8d2fe1aa0d527c3d833b01
-
SHA512
4a2b1d82a52cf7b268a5abdcac5e17b0d080e18de23bebbd9bb2b39484ff42a525b339dd05f9cd86d38f244d0ba819429cac8d49355e69afea764b435fefd8f4
Malware Config
Extracted
trickbot
2000031
zev4
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1396 1748 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1768 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1720 regsvr32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ident.me 13 ident.me -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1748 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1968 wermgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1748 WINWORD.EXE 1748 WINWORD.EXE 1748 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exeregsvr32.exedescription pid process target process PID 1748 wrote to memory of 1396 1748 WINWORD.EXE cmd.exe PID 1748 wrote to memory of 1396 1748 WINWORD.EXE cmd.exe PID 1748 wrote to memory of 1396 1748 WINWORD.EXE cmd.exe PID 1748 wrote to memory of 1396 1748 WINWORD.EXE cmd.exe PID 1396 wrote to memory of 1768 1396 cmd.exe mshta.exe PID 1396 wrote to memory of 1768 1396 cmd.exe mshta.exe PID 1396 wrote to memory of 1768 1396 cmd.exe mshta.exe PID 1396 wrote to memory of 1768 1396 cmd.exe mshta.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1768 wrote to memory of 1720 1768 mshta.exe regsvr32.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe PID 1748 wrote to memory of 868 1748 WINWORD.EXE splwow64.exe PID 1748 wrote to memory of 868 1748 WINWORD.EXE splwow64.exe PID 1748 wrote to memory of 868 1748 WINWORD.EXE splwow64.exe PID 1748 wrote to memory of 868 1748 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe PID 1720 wrote to memory of 1968 1720 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,07.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\funcToProc.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\funcToProc.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\funcToProc.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\funcToProc.htaMD5
bc4be77135061df095a403023bae0109
SHA12fc60dd93271d314a961e47e18b64ab28ae8d327
SHA256dc57fcce608c4997a28a47c3ba309091a6ca6920b91ec8fa5b859c7fb94193f3
SHA512b002a6527ba4b8d7b0616929bf4dac29341d65798c6fd2ecb45a331de0a9a5753f0cc3d64caf51e7edea1a3b0faa42998dd54abb51a5778e80d5252cb3ec9be4
-
\??\c:\users\public\funcToProc.jpgMD5
c538f57716e424492b816af505757487
SHA12b30d72ff6db80f3c15daf150e000738784f33f6
SHA2566b1264ddfc4c8124e8f9833a7a7f659c8d39748ecc4d727e4d250eb0d03b5421
SHA5124c56ca5acd5d56f74a55be95a7cfe1e88e46ea09e15827b37da95a780aec9031472390fc30f6a52be8389f1fe9809b56eb3fe524469dd2361ee2f56ba90d7488
-
\Users\Public\funcToProc.jpgMD5
c538f57716e424492b816af505757487
SHA12b30d72ff6db80f3c15daf150e000738784f33f6
SHA2566b1264ddfc4c8124e8f9833a7a7f659c8d39748ecc4d727e4d250eb0d03b5421
SHA5124c56ca5acd5d56f74a55be95a7cfe1e88e46ea09e15827b37da95a780aec9031472390fc30f6a52be8389f1fe9809b56eb3fe524469dd2361ee2f56ba90d7488
-
memory/868-76-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmpFilesize
8KB
-
memory/868-75-0x0000000000000000-mapping.dmp
-
memory/1396-64-0x0000000000000000-mapping.dmp
-
memory/1720-68-0x0000000000000000-mapping.dmp
-
memory/1720-73-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1720-74-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1720-72-0x00000000001F0000-0x000000000022F000-memory.dmpFilesize
252KB
-
memory/1748-60-0x0000000072251000-0x0000000072254000-memory.dmpFilesize
12KB
-
memory/1748-63-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1748-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1748-61-0x000000006FCD1000-0x000000006FCD3000-memory.dmpFilesize
8KB
-
memory/1768-67-0x0000000000000000-mapping.dmp
-
memory/1968-77-0x0000000000000000-mapping.dmp
-
memory/1968-79-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1968-78-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB