Resubmissions
17-01-2025 20:14
250117-yz7h3s1qfw 1017-01-2025 20:12
250117-yy9l2sslcr 1017-01-2025 17:25
250117-vy9p9sxpez 1017-01-2025 17:21
250117-vw8eesyjfp 1017-01-2025 14:16
250117-rk9ass1rhk 1017-01-2025 14:12
250117-rhv1ds1lds 1016-01-2025 12:52
250116-p4et7a1mez 1016-01-2025 12:50
250116-p29xjssjep 1016-01-2025 12:49
250116-p2cbaasjam 1013-01-2025 04:35
250113-e7x5tswlfz 10Analysis
-
max time kernel
864s -
max time network
886s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
16-01-2025 12:52
General
-
Target
Malware-1-master/youwin.exe
-
Size
379KB
-
MD5
c3f3773a596db65c6491b578db621c45
-
SHA1
ba5529fe2d6648ebfa93c17145f5570f448e1111
-
SHA256
dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
-
SHA512
8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
-
SSDEEP
6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4
Malware Config
Extracted
trickbot
1000312
sun10
82.202.212.172:443
24.247.181.155:449
24.247.182.39:449
109.234.38.220:443
24.247.182.29:449
24.247.182.7:449
71.14.129.8:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.187.116:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"1⤵
- Modifies Windows Defender notification settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\NetSf\youwin.exeC:\Users\Admin\AppData\Roaming\NetSf\youwin.exe2⤵
- Modifies Windows Defender notification settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Adds Run key to start application
-
C:\Windows\SYSTEM32\regini.exeregini C:\Users\Admin\AppData\Local\Temp\tmp0514⤵
-
-
C:\Windows\SYSTEM32\regini.exeregini C:\Users\Admin\AppData\Local\Temp\tmp0514⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
21KB
MD5bc66f2e587debc3f42cf9edb062ea328
SHA17930968695b38d8379a30bddab271fb3ccc722d4
SHA256eed5f22267607d7b026f87d9acb1efd91db4c3db6dda44a7b523f5c552786ef5
SHA512b4397d3df80577251e0879f15555b3b80f1d243f684bb619362542052814646f5a6acca355466cd7cecce1d8454257cc485f8820774084dbe63627d31c34109f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
67B
MD5e4bcd320585af9f77671cc6e91fe9de6
SHA115f12439eb3e133affb37b29e41e57d89fc90e06
SHA256a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8
SHA51200497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112
-
Filesize
67B
MD558b2f90cc0182925ae0bab51700b14ab
SHA1d2975adeb8dc68f2f5e10edee524de78e79828db
SHA2568114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964
SHA512de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782
-
Filesize
1KB
MD50b96502d2c7b2114f4b642e12e72c306
SHA11a6db3f790c1193d67372a0c3469bbbe5ff783e5
SHA256c300d470d981094b58c0a65f95d89c0924fae22a58212a5d39a1b8bf91a7e9b8
SHA5127bbcb8a42ac746659e8ed99c83685a4a382642457f1b4dd938ccb549ffe766834afb96ff7ec246c340666299f95bef31571252c0adbd7f02c4ce037fb8b2cd08
-
Filesize
379KB
MD5c3f3773a596db65c6491b578db621c45
SHA1ba5529fe2d6648ebfa93c17145f5570f448e1111
SHA256dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
SHA5128d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
6.8MB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
3.0MB
-
Filesize
756KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
28KB
-
Filesize
28KB