Analysis Report 446446.xls

Overview

General Information

Sample Name: 446446.xls
Analysis ID: 385552
MD5: 1b62b4f4b16d6219dce4c6d145c5af79
SHA1: d5bc46f3043119c020ae93121195aabbf151cf75
SHA256: dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp Malware Configuration Extractor: Trickbot {"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 4HeVw[1].perclick.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: living-traditions.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1281B7DE.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: living-traditions.com
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: 446446.xls, 51DE0000.0.dr String found in binary or memory: http://living-traditions.com/blogs/click.php
Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 0 Protected Vie
Source: Screenshot number: 4 Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start V Q R S IE"]' ^ Enable Edit
Source: Document image extraction number: 2 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3 Screenshot OCR: Enable Content
Source: Document image extraction number: 4 Screenshot OCR: Enable Editing
Source: Document image extraction number: 13 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulas
Source: 446446.xls Initial sample: CALL
Source: 446446.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: 446446.xls Initial sample: High usage of CHAR() function: 39
Source: 446446.xls Initial sample: High usage of CHAR() function: 26
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fdinmd.fii Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Document contains embedded VBA macros
Source: 446446.xls OLE indicator, VBA macros: true
Yara signature match
Source: 446446.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal96.troj.expl.evad.winXLS@7/7@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC532.tmp Jump to behavior
Source: 446446.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_007C27CB push dword ptr [edx+14h]; ret 4_2_007C282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_007C2720 push dword ptr [edx+14h]; ret 4_2_007C282D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fdinmd.fii Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fdinmd.fii Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fdinmd.fii Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fdinmd.fii Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385552 Sample: 446446.xls Startdate: 12/04/2021 Architecture: WINDOWS Score: 96 25 Found malware configuration 2->25 27 Document exploit detected (drops PE files) 2->27 29 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->29 31 6 other signatures 2->31 8 EXCEL.EXE 86 47 2->8         started        process3 dnsIp4 23 living-traditions.com 64.207.186.30, 49165, 80 GO-DADDY-COM-LLCUS United States 8->23 19 C:\Users\user\fdinmd.fii, PE32 8->19 dropped 21 C:\Users\user\AppData\...\4HeVw[1].perclick, PE32 8->21 dropped 33 Document exploit detected (UrlDownloadToFile) 8->33 13 rundll32.exe 8->13         started        file5 signatures6 process7 process8 15 rundll32.exe 13->15         started        process9 17 wermgr.exe 15->17         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.207.186.30
 living-traditions.com United States
398110 GO-DADDY-COM-LLCUS false

Contacted Domains

Name IP Active
living-traditions.com 64.207.186.30 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://living-traditions.com/blogs/click.php false
  • Avira URL Cloud: safe
 unknown