Overview

overview

10

Static

static

ea78baf091...d.docm

windows10_x64

10

ea78baf091...d.docm

windows10-2004_x64

10

ea78baf091...d.docm

windows11_x64

Analysis

  • max time kernel
    582s
  • max time network
    601s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-05-2022 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm

  • Size

    546KB

  • MD5

    ee6c2c0cee1d675d7d54ddd8c55a7d2a

  • SHA1

    b52b89e670bd912540608671d05b0c772a6a14b9

  • SHA256

    ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad

  • SHA512

    76371e407bfb8e3dd0427dbd750efe7c9c79483495dd2ef3bdf160c7c1528caafd05ed4c914dfe76f16632348a59a8ebe6061fd83dec1c9bf4f519bef5d726bb

Score
10/10
trickbotono76bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

1000514

Botnet

ono76

C2

51.89.163.40:443

89.223.126.186:443

45.67.231.68:443

148.251.185.165:443

194.87.110.144:443

213.32.84.27:443

185.234.72.35:443

45.89.125.148:443

195.123.240.104:443

185.99.2.243:443

5.182.211.223:443

195.123.240.113:443

85.204.116.173:443

5.152.210.188:443

103.36.48.103:449

36.94.33.102:449

36.91.87.227:449

177.190.69.162:449

103.76.169.213:449

179.97.246.23:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 3 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:940
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
      2⤵
        PID:2148
      • C:\Windows\System32\certutil.exe
        "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
        2⤵
          PID:3648
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Windows\SysWOW64\regsvr32.exe
            c:\drad\ONKVD.dll
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4672
            • C:\Windows\system32\wermgr.exe
              C:\Windows\system32\wermgr.exe
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4240
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:2396
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2308

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Drad\ONKVD.dll
          Filesize

          608KB

          MD5

          faf55f62d1967375625d0e402c34ee0a

          SHA1

          02c8f9055c69a3386e7dbfd2eafad3beab3779fb

          SHA256

          c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e

          SHA512

          227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca

          Download Submit
        • C:\Drad\ONKVD.dll
          Filesize

          304KB

          MD5

          0828f63b9396fead9231cae937694a37

          SHA1

          66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

          SHA256

          fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

          SHA512

          dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

          Download Submit
        • C:\ProgramData\openssl.vbe
          Filesize

          636KB

          MD5

          15810fb5f100a3a2d21e4c2288dc1a88

          SHA1

          834308004280f11a459f764d9e2339c34dc5d7f1

          SHA256

          136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6

          SHA512

          431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87

          Download Submit
        • \??\c:\drad\ONKVD.dll
          Filesize

          304KB

          MD5

          0828f63b9396fead9231cae937694a37

          SHA1

          66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

          SHA256

          fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

          SHA512

          dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

          Download Submit
        • memory/940-136-0x00007FF8F9230000-0x00007FF8F9240000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-159-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-130-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-134-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-135-0x00007FF8F9230000-0x00007FF8F9240000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-157-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-133-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-158-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-131-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-160-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/940-132-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2148-138-0x0000000000000000-mapping.dmp
          Download
        • memory/2320-141-0x0000000000000000-mapping.dmp
          Download
        • memory/3648-139-0x0000000000000000-mapping.dmp
          Download
        • memory/4240-155-0x0000021727F50000-0x0000021727F77000-memory.dmp
          Filesize

          156KB

          Download
        • memory/4240-154-0x0000000000000000-mapping.dmp
          Download
        • memory/4672-153-0x0000000002AF0000-0x0000000002B31000-memory.dmp
          Filesize

          260KB

          Download
        • memory/4672-152-0x0000000001080000-0x00000000010B5000-memory.dmp
          Filesize

          212KB

          Download
        • memory/4672-149-0x0000000001100000-0x0000000001136000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4672-145-0x00000000010C0000-0x00000000010F7000-memory.dmp
          Filesize

          220KB

          Download
        • memory/4672-143-0x0000000000000000-mapping.dmp
          Download