Overview

overview

10

Static

static

8

info_summr...n.xlsm

windows7_x64

10

info_summr...n.xlsm

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    info_summr_55968-17.bin.xlsm

  • Size

    210KB

  • MD5

    538aaa3cc71057df657b52b8278c35ce

  • SHA1

    e26cd91e5d7693ef3fefd5666e2ff8f1a5338aab

  • SHA256

    342901a3f85cfdb904dc39b2627018e4058545891292b8f90b954d96d986be31

  • SHA512

    0a2558d98b4315eeb3e8e8e5ab7dc8bd9691ef961ff540e55d033c491f37bc3867f914aa38168a6e2bb138033c9c30091d50a659e7ffc5370a5993a64cfddc60

Score
10/10
trickbotsat4bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://185.81.115.23/ytr.dll

Extracted

Family

trickbot

Version

100019

Botnet

sat4

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\info_summr_55968-17.bin.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 -silent C:\Datop\test.test
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\regsvr32.exe
        -silent C:\Datop\test.test
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
            PID:3404
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2360

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Datop\test.test
      MD5

      1d71d05681e72c749836a41bec1ce60b

      SHA1

      510712d24aaf87255113857296407cab807b11d9

      SHA256

      f3aca25f563b59de9b6b1e3397d726cbe177c9bbca7ba51a0df9347fc0e55d1b

      SHA512

      9f4ba9afb903443dd4a0a8f03ffcd5fd7938d6ebd1d545d38143202be987302d5ddaf08ee859324d6c52dde582805e3557aed3c9ec51625a90caa6125a6c54b7

      Download Submit
    • \Datop\test.test
      MD5

      1d71d05681e72c749836a41bec1ce60b

      SHA1

      510712d24aaf87255113857296407cab807b11d9

      SHA256

      f3aca25f563b59de9b6b1e3397d726cbe177c9bbca7ba51a0df9347fc0e55d1b

      SHA512

      9f4ba9afb903443dd4a0a8f03ffcd5fd7938d6ebd1d545d38143202be987302d5ddaf08ee859324d6c52dde582805e3557aed3c9ec51625a90caa6125a6c54b7

      Download Submit
    • memory/1816-121-0x00000257930F0000-0x00000257930F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1816-118-0x00007FF817560000-0x00007FF817570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-119-0x00007FF817560000-0x00007FF817570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-120-0x00000257930F0000-0x00000257930F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1816-122-0x00000257930F0000-0x00000257930F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1816-128-0x00007FF814750000-0x00007FF814760000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-129-0x00007FF814750000-0x00007FF814760000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-115-0x00007FF817560000-0x00007FF817570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-117-0x00007FF817560000-0x00007FF817570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1816-116-0x00007FF817560000-0x00007FF817570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2360-275-0x0000000000000000-mapping.dmp
      Download
    • memory/2360-276-0x0000028F65CF0000-0x0000028F65D19000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2360-277-0x0000028F65E00000-0x0000028F65E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3720-258-0x0000000000000000-mapping.dmp
      Download
    • memory/3928-271-0x0000000004F40000-0x0000000004F41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3928-272-0x0000000003451000-0x0000000003453000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3928-269-0x0000000004E10000-0x0000000004E49000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3928-270-0x0000000004EE0000-0x0000000004F25000-memory.dmp
      Filesize

      276KB

      Download
    • memory/3928-260-0x0000000000000000-mapping.dmp
      Download