Analysis
-
max time kernel
115s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 02:53
Static task
static1
Behavioral task
behavioral1
Sample
file5.pellet.exe
Resource
win7v20201028
General
-
Target
file5.pellet.exe
-
Size
369KB
-
MD5
9ec3a085d785f3d8091fa3435a1b9584
-
SHA1
1605367d4b3157f29679cd7c045d8a6df2db5c5d
-
SHA256
843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
-
SHA512
de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
Malware Config
Extracted
trickbot
1000296
sat97
185.222.202.113:443
24.247.181.155:449
174.105.235.178:449
185.111.74.246:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
198.12.108.171:443
71.94.101.25:443
206.130.141.255:449
198.46.161.244:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
66.38.80.188:449
24.119.69.70:449
192.3.130.29:443
103.110.91.118:449
68.4.173.10:443
72.189.124.41:449
74.134.5.113:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
46.149.182.112:449
195.54.163.87:443
199.227.126.250:449
24.113.161.184:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
73.67.78.5:449
24.227.222.4:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
file6.pellet.exepid process 764 file6.pellet.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
file5.pellet.exepid process 292 file5.pellet.exe 292 file5.pellet.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
file5.pellet.exepowershell.exepid process 292 file5.pellet.exe 292 file5.pellet.exe 292 file5.pellet.exe 964 powershell.exe 964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 964 powershell.exe -
Suspicious use of WriteProcessMemory 692 IoCs
Processes:
file5.pellet.execmd.execmd.execmd.exefile6.pellet.exedescription pid process target process PID 292 wrote to memory of 1232 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1232 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1232 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1232 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1212 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1212 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1212 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1212 292 file5.pellet.exe cmd.exe PID 1212 wrote to memory of 1536 1212 cmd.exe sc.exe PID 1212 wrote to memory of 1536 1212 cmd.exe sc.exe PID 1212 wrote to memory of 1536 1212 cmd.exe sc.exe PID 1212 wrote to memory of 1536 1212 cmd.exe sc.exe PID 1232 wrote to memory of 1680 1232 cmd.exe sc.exe PID 1232 wrote to memory of 1680 1232 cmd.exe sc.exe PID 1232 wrote to memory of 1680 1232 cmd.exe sc.exe PID 1232 wrote to memory of 1680 1232 cmd.exe sc.exe PID 292 wrote to memory of 1512 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1512 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1512 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 1512 292 file5.pellet.exe cmd.exe PID 292 wrote to memory of 764 292 file5.pellet.exe file6.pellet.exe PID 292 wrote to memory of 764 292 file5.pellet.exe file6.pellet.exe PID 292 wrote to memory of 764 292 file5.pellet.exe file6.pellet.exe PID 292 wrote to memory of 764 292 file5.pellet.exe file6.pellet.exe PID 1512 wrote to memory of 964 1512 cmd.exe powershell.exe PID 1512 wrote to memory of 964 1512 cmd.exe powershell.exe PID 1512 wrote to memory of 964 1512 cmd.exe powershell.exe PID 1512 wrote to memory of 964 1512 cmd.exe powershell.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe PID 764 wrote to memory of 1620 764 file6.pellet.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe"C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeC:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeMD5
9ec3a085d785f3d8091fa3435a1b9584
SHA11605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
-
\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeMD5
9ec3a085d785f3d8091fa3435a1b9584
SHA11605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
-
\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeMD5
9ec3a085d785f3d8091fa3435a1b9584
SHA11605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
-
memory/292-2-0x0000000002150000-0x0000000002161000-memory.dmpFilesize
68KB
-
memory/292-3-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB
-
memory/292-4-0x0000000002420000-0x0000000002431000-memory.dmpFilesize
68KB
-
memory/292-6-0x0000000002420000-0x0000000002431000-memory.dmpFilesize
68KB
-
memory/292-5-0x0000000002830000-0x0000000002841000-memory.dmpFilesize
68KB
-
memory/292-10-0x0000000002420000-0x0000000002431000-memory.dmpFilesize
68KB
-
memory/764-15-0x0000000000000000-mapping.dmp
-
memory/964-25-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/964-21-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/964-54-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/964-53-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/964-39-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/964-17-0x0000000000000000-mapping.dmp
-
memory/964-18-0x00000000743E0000-0x0000000074ACE000-memory.dmpFilesize
6.9MB
-
memory/964-19-0x0000000001F00000-0x0000000001F01000-memory.dmpFilesize
4KB
-
memory/964-20-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/964-38-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/964-22-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/964-31-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/964-30-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/1212-1-0x0000000000000000-mapping.dmp
-
memory/1232-0-0x0000000000000000-mapping.dmp
-
memory/1512-11-0x0000000000000000-mapping.dmp
-
memory/1536-8-0x0000000000000000-mapping.dmp
-
memory/1620-55-0x0000000000000000-mapping.dmp
-
memory/1620-56-0x0000000140000000-0x0000000140039000-memory.dmpFilesize
228KB
-
memory/1680-9-0x0000000000000000-mapping.dmp