Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 00:38
Static task
static1
Behavioral task
behavioral1
Sample
radiance.png.pellet.exe
Resource
win7v20201028
General
-
Target
radiance.png.pellet.exe
-
Size
532KB
-
MD5
e8a28a5d13c44e81779b7f499224e5bf
-
SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8
-
SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
-
SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835
Malware Config
Extracted
trickbot
1000298
tot352
185.222.202.113:443
24.247.181.155:449
174.105.235.178:449
185.111.74.246:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
198.12.108.171:443
71.94.101.25:443
206.130.141.255:449
198.46.161.244:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
24.119.69.70:449
188.68.209.153:443
103.110.91.118:449
68.4.173.10:443
72.189.124.41:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
46.149.182.112:449
85.143.172.208:443
199.227.126.250:449
24.113.161.184:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
64.233.159.129:449
24.227.222.4:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2028-2-0x0000000001E50000-0x0000000001E90000-memory.dmp trickbot_loader32 -
Executes dropped EXE 1 IoCs
Processes:
sadiance.png.pellet.exepid process 1708 sadiance.png.pellet.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
radiance.png.pellet.exepid process 2028 radiance.png.pellet.exe 2028 radiance.png.pellet.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
radiance.png.pellet.exepowershell.exepid process 2028 radiance.png.pellet.exe 2028 radiance.png.pellet.exe 2028 radiance.png.pellet.exe 748 powershell.exe 748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 748 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
radiance.png.pellet.exesadiance.png.pellet.exepid process 2028 radiance.png.pellet.exe 1708 sadiance.png.pellet.exe -
Suspicious use of WriteProcessMemory 692 IoCs
Processes:
radiance.png.pellet.execmd.execmd.execmd.exesadiance.png.pellet.exedescription pid process target process PID 2028 wrote to memory of 1448 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1448 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1448 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1448 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1184 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1184 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1184 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1184 2028 radiance.png.pellet.exe cmd.exe PID 1448 wrote to memory of 1748 1448 cmd.exe sc.exe PID 1184 wrote to memory of 1796 1184 cmd.exe sc.exe PID 1184 wrote to memory of 1796 1184 cmd.exe sc.exe PID 1448 wrote to memory of 1748 1448 cmd.exe sc.exe PID 1184 wrote to memory of 1796 1184 cmd.exe sc.exe PID 1448 wrote to memory of 1748 1448 cmd.exe sc.exe PID 1184 wrote to memory of 1796 1184 cmd.exe sc.exe PID 1448 wrote to memory of 1748 1448 cmd.exe sc.exe PID 2028 wrote to memory of 1752 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1752 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1752 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1752 2028 radiance.png.pellet.exe cmd.exe PID 2028 wrote to memory of 1708 2028 radiance.png.pellet.exe sadiance.png.pellet.exe PID 2028 wrote to memory of 1708 2028 radiance.png.pellet.exe sadiance.png.pellet.exe PID 2028 wrote to memory of 1708 2028 radiance.png.pellet.exe sadiance.png.pellet.exe PID 2028 wrote to memory of 1708 2028 radiance.png.pellet.exe sadiance.png.pellet.exe PID 1752 wrote to memory of 748 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 748 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 748 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 748 1752 cmd.exe powershell.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe PID 1708 wrote to memory of 1840 1708 sadiance.png.pellet.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe"C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exeC:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exeMD5
e8a28a5d13c44e81779b7f499224e5bf
SHA152cd0f52e9fab839fac42dd69a1c52aa9b9885f8
SHA256696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
SHA512fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835
-
\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exeMD5
e8a28a5d13c44e81779b7f499224e5bf
SHA152cd0f52e9fab839fac42dd69a1c52aa9b9885f8
SHA256696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
SHA512fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835
-
\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exeMD5
e8a28a5d13c44e81779b7f499224e5bf
SHA152cd0f52e9fab839fac42dd69a1c52aa9b9885f8
SHA256696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
SHA512fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835
-
memory/748-49-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/748-65-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/748-50-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/748-29-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/748-28-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/748-25-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/748-33-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/748-64-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/748-36-0x0000000006030000-0x0000000006031000-memory.dmpFilesize
4KB
-
memory/748-32-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/748-41-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/748-20-0x0000000000000000-mapping.dmp
-
memory/748-42-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/1184-4-0x0000000000000000-mapping.dmp
-
memory/1448-3-0x0000000000000000-mapping.dmp
-
memory/1708-17-0x0000000000000000-mapping.dmp
-
memory/1708-30-0x00000000023D0000-0x00000000023D4000-memory.dmpFilesize
16KB
-
memory/1708-31-0x00000000026D0000-0x00000000026D4000-memory.dmpFilesize
16KB
-
memory/1748-12-0x0000000000000000-mapping.dmp
-
memory/1752-14-0x0000000000000000-mapping.dmp
-
memory/1796-11-0x0000000000000000-mapping.dmp
-
memory/1840-24-0x0000000140000000-0x0000000140039000-memory.dmpFilesize
228KB
-
memory/1840-23-0x0000000000000000-mapping.dmp
-
memory/2028-27-0x0000000002830000-0x0000000002834000-memory.dmpFilesize
16KB
-
memory/2028-26-0x0000000000230000-0x0000000000234000-memory.dmpFilesize
16KB
-
memory/2028-2-0x0000000001E50000-0x0000000001E90000-memory.dmpFilesize
256KB
-
memory/2028-13-0x0000000003F60000-0x0000000003F71000-memory.dmpFilesize
68KB
-
memory/2028-7-0x0000000003F60000-0x0000000003F71000-memory.dmpFilesize
68KB
-
memory/2028-6-0x0000000004370000-0x0000000004381000-memory.dmpFilesize
68KB
-
memory/2028-5-0x0000000003F60000-0x0000000003F71000-memory.dmpFilesize
68KB