Analysis
-
max time kernel
134s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
2f8b0b6435ca18da75e8ae2e6745718124a26f66.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
2f8b0b6435ca18da75e8ae2e6745718124a26f66.exe
Resource
win10v191014
0 signatures
General
-
Target
2f8b0b6435ca18da75e8ae2e6745718124a26f66
-
Sample
191018-dj47fcq5ta
-
SHA256
73e462e48d639a6ed2bc798c451328260646fab7ef12d41381bcb48f9e5598b2
Score
N/A
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5004 акииб.exe 1764 акииб.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 328 svchost.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 2812 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 2812 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 2812 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 2812 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 2812 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4756 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4756 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4164 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4164 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4960 wrote to memory of 5004 4960 2f8b0b6435ca18da75e8ae2e6745718124a26f66.exe 71 PID 5004 wrote to memory of 5040 5004 акииб.exe 72 PID 1764 wrote to memory of 328 1764 акииб.exe 75 -
ioc pid Process C:\Users\Admin\AppData\Roaming\HomeLan\Data\ 328 svchost.exe -
Modifies service 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITS39f17b34-52e5-4dfd-97e2-0556eb182f7e" 2812 svchost.exe -
trickbot family
-
Uses Task Scheduler COM API 1 TTPs 29 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 5040 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 5040 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 5040 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 5040 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 5040 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 5040 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 5040 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 5040 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 328 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 328 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 328 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 328 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 328 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 328 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 328 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 328 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f8b0b6435ca18da75e8ae2e6745718124a26f66.exe"C:\Users\Admin\AppData\Local\Temp\2f8b0b6435ca18da75e8ae2e6745718124a26f66.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960
-
C:\ProgramData\акииб.exe"C:\ProgramData\акииб.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:5040
-
C:\Users\Admin\AppData\Roaming\HomeLan\акииб.exeC:\Users\Admin\AppData\Roaming\HomeLan\акииб.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Uses Task Scheduler COM API
PID:328
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
- Modifies service
PID:2812
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4048
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4756
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:3752
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4164
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1031