Analysis
-
max time kernel
143s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
Resource
win7-20220414-en
General
-
Target
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
-
Size
546KB
-
MD5
ee6c2c0cee1d675d7d54ddd8c55a7d2a
-
SHA1
b52b89e670bd912540608671d05b0c772a6a14b9
-
SHA256
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad
-
SHA512
76371e407bfb8e3dd0427dbd750efe7c9c79483495dd2ef3bdf160c7c1528caafd05ed4c914dfe76f16632348a59a8ebe6061fd83dec1c9bf4f519bef5d726bb
Malware Config
Extracted
trickbot
1000514
ono76
51.89.163.40:443
89.223.126.186:443
45.67.231.68:443
148.251.185.165:443
194.87.110.144:443
213.32.84.27:443
185.234.72.35:443
45.89.125.148:443
195.123.240.104:443
185.99.2.243:443
5.182.211.223:443
195.123.240.113:443
85.204.116.173:443
5.152.210.188:443
103.36.48.103:449
36.94.33.102:449
36.91.87.227:449
177.190.69.162:449
103.76.169.213:449
179.97.246.23:449
200.24.67.161:449
181.143.186.42:449
190.99.97.42:449
179.127.88.41:449
117.252.214.138:449
117.222.63.145:449
45.224.213.234:449
45.237.241.97:449
125.165.20.104:449
-
autorunName:pwgrab
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3908-145-0x00000000022E0000-0x0000000002317000-memory.dmp templ_dll behavioral2/memory/3908-149-0x0000000002770000-0x00000000027A6000-memory.dmp templ_dll behavioral2/memory/3908-152-0x00000000022A0000-0x00000000022D5000-memory.dmp templ_dll -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3908 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5439B849-CF43-11EC-AD90-7A7C173711D6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "735537136" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "689756921" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "358829843" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "689756921" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30958416" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30958416" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30958416" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3280 WINWORD.EXE 3280 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1712 wermgr.exe Token: SeDebugPrivilege 1712 wermgr.exe Token: SeDebugPrivilege 1712 wermgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1824 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEpid process 3280 WINWORD.EXE 3280 WINWORD.EXE 3280 WINWORD.EXE 3280 WINWORD.EXE 3280 WINWORD.EXE 3280 WINWORD.EXE 3280 WINWORD.EXE 1824 iexplore.exe 1824 iexplore.exe 4224 IEXPLORE.EXE 4224 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exeiexplore.exeregsvr32.exeregsvr32.exedescription pid process target process PID 852 wrote to memory of 4116 852 WScript.exe cmd.exe PID 852 wrote to memory of 4116 852 WScript.exe cmd.exe PID 1824 wrote to memory of 4224 1824 iexplore.exe IEXPLORE.EXE PID 1824 wrote to memory of 4224 1824 iexplore.exe IEXPLORE.EXE PID 1824 wrote to memory of 4224 1824 iexplore.exe IEXPLORE.EXE PID 852 wrote to memory of 3384 852 WScript.exe certutil.exe PID 852 wrote to memory of 3384 852 WScript.exe certutil.exe PID 852 wrote to memory of 2780 852 WScript.exe regsvr32.exe PID 852 wrote to memory of 2780 852 WScript.exe regsvr32.exe PID 2780 wrote to memory of 3908 2780 regsvr32.exe regsvr32.exe PID 2780 wrote to memory of 3908 2780 regsvr32.exe regsvr32.exe PID 2780 wrote to memory of 3908 2780 regsvr32.exe regsvr32.exe PID 3908 wrote to memory of 1712 3908 regsvr32.exe wermgr.exe PID 3908 wrote to memory of 1712 3908 regsvr32.exe wermgr.exe PID 3908 wrote to memory of 1712 3908 regsvr32.exe wermgr.exe PID 3908 wrote to memory of 1712 3908 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""2⤵
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll2⤵
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\drad\ONKVD.dll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Drad\ONKVD.dllFilesize
608KB
MD5faf55f62d1967375625d0e402c34ee0a
SHA102c8f9055c69a3386e7dbfd2eafad3beab3779fb
SHA256c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e
SHA512227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca
-
C:\Drad\ONKVD.dllFilesize
304KB
MD50828f63b9396fead9231cae937694a37
SHA166f370b3a1dcfb9c87a31b35d2c0951a3b1612f8
SHA256fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
SHA512dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256
-
C:\ProgramData\openssl.vbeFilesize
636KB
MD515810fb5f100a3a2d21e4c2288dc1a88
SHA1834308004280f11a459f764d9e2339c34dc5d7f1
SHA256136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6
SHA512431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87
-
\??\c:\drad\ONKVD.dllFilesize
304KB
MD50828f63b9396fead9231cae937694a37
SHA166f370b3a1dcfb9c87a31b35d2c0951a3b1612f8
SHA256fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
SHA512dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256
-
memory/1712-153-0x0000000000000000-mapping.dmp
-
memory/1712-155-0x00000251280D0000-0x00000251280F7000-memory.dmpFilesize
156KB
-
memory/2780-141-0x0000000000000000-mapping.dmp
-
memory/3280-133-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-136-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmpFilesize
64KB
-
memory/3280-160-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-135-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmpFilesize
64KB
-
memory/3280-134-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-132-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-159-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-131-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-158-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-157-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3280-130-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3384-139-0x0000000000000000-mapping.dmp
-
memory/3908-152-0x00000000022A0000-0x00000000022D5000-memory.dmpFilesize
212KB
-
memory/3908-154-0x00000000027B0000-0x00000000027F1000-memory.dmpFilesize
260KB
-
memory/3908-149-0x0000000002770000-0x00000000027A6000-memory.dmpFilesize
216KB
-
memory/3908-145-0x00000000022E0000-0x0000000002317000-memory.dmpFilesize
220KB
-
memory/3908-143-0x0000000000000000-mapping.dmp
-
memory/4116-138-0x0000000000000000-mapping.dmp