Analysis
-
max time kernel
125s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 02:53
General
-
Target
file5.pellet.exe
-
Size
369KB
-
MD5
9ec3a085d785f3d8091fa3435a1b9584
-
SHA1
1605367d4b3157f29679cd7c045d8a6df2db5c5d
-
SHA256
843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
-
SHA512
de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
Malware Config
Extracted
trickbot
1000296
sat97
185.222.202.113:443
24.247.181.155:449
174.105.235.178:449
185.111.74.246:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
198.12.108.171:443
71.94.101.25:443
206.130.141.255:449
198.46.161.244:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
66.38.80.188:449
24.119.69.70:449
192.3.130.29:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 701 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe"C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeC:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e18913574a987fe22f2c3f8940b41e34
SHA1243b8f23130d2721b65fb876d37d365f3c8ee2f3
SHA256598b1c5b9b471b00bfc86ad55d1443bfa2f1a1ecb1b6951bb80f3ebe9d250451
SHA51245f34cdd9957b3bffb3cee2c62d7209970339c0c323678d88e881bc17cfab8c76c1008a6a69b064f76de6754477abcff99c3d12eeb75f1803ffbcf94b23abb67
-
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeMD5
9ec3a085d785f3d8091fa3435a1b9584
SHA11605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
-
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exeMD5
9ec3a085d785f3d8091fa3435a1b9584
SHA11605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca
-
memory/500-2-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/500-3-0x0000000002F20000-0x0000000002F21000-memory.dmpFilesize
4KB
-
memory/500-5-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/500-4-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/500-6-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/2196-51-0x0000000000000000-mapping.dmp
-
memory/2804-15-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB
-
memory/2804-22-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/2804-38-0x0000000009000000-0x0000000009001000-memory.dmpFilesize
4KB
-
memory/2804-14-0x0000000000000000-mapping.dmp
-
memory/2804-36-0x0000000009010000-0x0000000009011000-memory.dmpFilesize
4KB
-
memory/2804-16-0x00000000042D0000-0x00000000042D1000-memory.dmpFilesize
4KB
-
memory/2804-17-0x0000000006DC0000-0x0000000006DC1000-memory.dmpFilesize
4KB
-
memory/2804-18-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/2804-19-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/2804-20-0x00000000076B0000-0x00000000076B1000-memory.dmpFilesize
4KB
-
memory/2804-21-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/2804-35-0x0000000009060000-0x0000000009061000-memory.dmpFilesize
4KB
-
memory/2804-23-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/2804-24-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/2804-26-0x0000000008B50000-0x0000000008B83000-memory.dmpFilesize
204KB
-
memory/2804-33-0x0000000008B30000-0x0000000008B31000-memory.dmpFilesize
4KB
-
memory/2804-34-0x0000000008EA0000-0x0000000008EA1000-memory.dmpFilesize
4KB
-
memory/2900-1-0x0000000000000000-mapping.dmp
-
memory/3252-48-0x0000000000000000-mapping.dmp
-
memory/3256-52-0x0000000140000000-0x0000000140039000-memory.dmpFilesize
228KB
-
memory/3256-50-0x0000000000000000-mapping.dmp
-
memory/3276-12-0x0000000000000000-mapping.dmp
-
memory/3560-42-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/3560-44-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/3560-43-0x0000000002D00000-0x0000000002D01000-memory.dmpFilesize
4KB
-
memory/3560-45-0x0000000003040000-0x0000000003041000-memory.dmpFilesize
4KB
-
memory/3560-46-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/3560-9-0x0000000000000000-mapping.dmp
-
memory/3560-49-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/3564-56-0x0000000073540000-0x0000000073C2E000-memory.dmpFilesize
6.9MB
-
memory/3564-54-0x0000000000000000-mapping.dmp
-
memory/3564-62-0x0000000007A60000-0x0000000007A61000-memory.dmpFilesize
4KB
-
memory/3564-65-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/3564-76-0x0000000009250000-0x0000000009251000-memory.dmpFilesize
4KB
-
memory/3728-13-0x0000000000000000-mapping.dmp
-
memory/3936-41-0x0000000000000000-mapping.dmp
-
memory/3996-40-0x0000000000000000-mapping.dmp
-
memory/4020-8-0x0000000000000000-mapping.dmp
-
memory/4040-53-0x0000000000000000-mapping.dmp
-
memory/4088-0-0x0000000000000000-mapping.dmp