kpsiwn.zip

General
Target

kpsiwn.exe

Filesize

341KB

Completed

21-12-2020 11:32

Score
10/10
MD5

4103d97c7cad79f050901aace0d9fbe0

SHA1

dead0bd2345e9769b5545f4ff628e5c59fb5ef9e

SHA256

e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00

Malware Config

Extracted

Family trickbot
Version 100007
Botnet mor1
C2

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes
autorun
Name:pwgrab
ecc_pubkey.base64
Signatures 5

Filter: none

  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8api.ipify.org
    9api.ipify.org
  • Drops file in Windows directory
    kpsiwn.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\explorer.exekpsiwn.exe
  • Suspicious use of AdjustPrivilegeToken
    wermgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1388wermgr.exe
  • Suspicious use of WriteProcessMemory
    kpsiwn.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
    PID 1684 wrote to memory of 13881684kpsiwn.exewermgr.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe
    "C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe"
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      Suspicious use of AdjustPrivilegeToken
      PID:1388
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1388-4-0x0000000000000000-mapping.dmp

                          • memory/1684-2-0x00000000002A0000-0x00000000002DF000-memory.dmp

                          • memory/1684-3-0x00000000004D0000-0x000000000050B000-memory.dmp