Overview

overview

10

Static

static

8

doc.xlsm

windows7_x64

10

doc.xlsm

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc.xlsm

  • Size

    210KB

  • MD5

    7eaa8c20b9840547b206f2dd21ac11b6

  • SHA1

    6eaaa24a1d5164dca972e928d62a4c1cf6523689

  • SHA256

    9cf7aef7011220c83deb3587e15b09bdfd16da64f3c23739d860ef183afb0d22

  • SHA512

    9cc2095e15a3261ef9d4101ae363c44a54412db86a1556f09b441379b7291d12c4d1ce554b67f584a275730e6d03d4958255ca4c649e206a83bd560ff29636a9

Score
10/10
trickbotsat4bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://185.81.115.23/ytr.dll

Extracted

Family

trickbot

Version

100019

Botnet

sat4

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 -silent C:\Datop\test.test
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\SysWOW64\regsvr32.exe
        -silent C:\Datop\test.test
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
            PID:3752
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2532

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Datop\test.test
      MD5

      1d71d05681e72c749836a41bec1ce60b

      SHA1

      510712d24aaf87255113857296407cab807b11d9

      SHA256

      f3aca25f563b59de9b6b1e3397d726cbe177c9bbca7ba51a0df9347fc0e55d1b

      SHA512

      9f4ba9afb903443dd4a0a8f03ffcd5fd7938d6ebd1d545d38143202be987302d5ddaf08ee859324d6c52dde582805e3557aed3c9ec51625a90caa6125a6c54b7

      Download Submit
    • \Datop\test.test
      MD5

      1d71d05681e72c749836a41bec1ce60b

      SHA1

      510712d24aaf87255113857296407cab807b11d9

      SHA256

      f3aca25f563b59de9b6b1e3397d726cbe177c9bbca7ba51a0df9347fc0e55d1b

      SHA512

      9f4ba9afb903443dd4a0a8f03ffcd5fd7938d6ebd1d545d38143202be987302d5ddaf08ee859324d6c52dde582805e3557aed3c9ec51625a90caa6125a6c54b7

      Download Submit
    • memory/392-121-0x000001A955AF0000-0x000001A955AF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/392-118-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/392-119-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/392-120-0x000001A955AF0000-0x000001A955AF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/392-115-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/392-122-0x000001A955AF0000-0x000001A955AF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/392-172-0x000001A955AF0000-0x000001A955AF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/392-173-0x000001A955AF0000-0x000001A955AF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/392-117-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/392-116-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2532-273-0x00000176AEB00000-0x00000176AEB01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2532-272-0x00000176AE9F0000-0x00000176AEA19000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2532-271-0x0000000000000000-mapping.dmp
      Download
    • memory/2832-267-0x0000000002B60000-0x0000000002B99000-memory.dmp
      Filesize

      228KB

      Download
    • memory/2832-269-0x00000000046C0000-0x00000000046C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2832-270-0x0000000004641000-0x0000000004643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2832-268-0x0000000004660000-0x00000000046A5000-memory.dmp
      Filesize

      276KB

      Download
    • memory/2832-258-0x0000000000000000-mapping.dmp
      Download
    • memory/4004-254-0x0000000000000000-mapping.dmp
      Download