Analysis

  • max time kernel
    101s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-12-2020 11:29

General

  • Target

    kpsiwn.exe

  • Size

    341KB

  • MD5

    4103d97c7cad79f050901aace0d9fbe0

  • SHA1

    dead0bd2345e9769b5545f4ff628e5c59fb5ef9e

  • SHA256

    e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00

  • SHA512

    390513fba9908a4f84a2f49174d573f8c0c45d9aa17ed5fb0300fe4f1eb85873eda4ed221f82d36ed629a06d0b1edd3983c10a5904949eae7d237753ab77ec57

Malware Config

Extracted

Family

trickbot

Version

100007

Botnet

mor1

C2

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes
autorun
Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Looks up external IP address via web service ⋅ 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe
    "C:\Users\Admin\AppData\Local\Temp\kpsiwn.exe"
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/1388-4-0x0000000000000000-mapping.dmp
                          • memory/1684-2-0x00000000002A0000-0x00000000002DF000-memory.dmp
                          • memory/1684-3-0x00000000004D0000-0x000000000050B000-memory.dmp