Analysis
-
max time kernel
150s -
max time network
154s -
resource
win7v191014
Task
task1
Sample
41ed194a7310eae9620d1b4facfbc33fb246c079.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
41ed194a7310eae9620d1b4facfbc33fb246c079.exe
Resource
win10v191014
0 signatures
General
-
Target
41ed194a7310eae9620d1b4facfbc33fb246c079
-
Sample
191018-h4wh8mye46
-
SHA256
343d223fc1337edd9e8af65cda88fc6a616c9a16c7c11598675ed8b07cb7d790
Score
N/A
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1128 svchost.exe -
description ioc pid Process File created C:\Users\Admin\AppData\Roaming\HomeLan\settings.ini 1128 svchost.exe -
Drops file in system dir 12 IoCs
description ioc pid Process File created (read-only) C:\Windows\TEMP\Cab9A6A.tmp 1128 svchost.exe File created (read-only) C:\Windows\TEMP\Tar9A6B.tmp 1128 svchost.exe File opened for modification C:\Windows\TEMP\Cab9A6A.tmp 1128 svchost.exe File opened for modification C:\Windows\TEMP\Tar9A6B.tmp 1128 svchost.exe File deleted C:\Windows\Temp\Cab9A6A.tmp 1128 svchost.exe File deleted C:\Windows\Temp\Tar9A6B.tmp 1128 svchost.exe File created (read-only) C:\Windows\TEMP\Cab9AAB.tmp 1128 svchost.exe File created (read-only) C:\Windows\TEMP\Tar9AAC.tmp 1128 svchost.exe File opened for modification C:\Windows\TEMP\Cab9AAB.tmp 1128 svchost.exe File opened for modification C:\Windows\TEMP\Tar9AAC.tmp 1128 svchost.exe File deleted C:\Windows\Temp\Cab9AAB.tmp 1128 svchost.exe File deleted C:\Windows\Temp\Tar9AAC.tmp 1128 svchost.exe -
trickbot family
-
Loads dropped DLL 1 IoCs
pid Process 1412 41ed194a7310eae9620d1b4facfbc33fb246c079.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1108 1412 41ed194a7310eae9620d1b4facfbc33fb246c079.exe 26 PID 1108 wrote to memory of 2020 1108 Нлкаи.exe 27 PID 2044 wrote to memory of 840 2044 taskeng.exe 29 PID 840 wrote to memory of 1128 840 Нлкаи.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 1108 Нлкаи.exe 840 Нлкаи.exe -
Uses Task Scheduler COM API 1 TTPs 26 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 2020 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 2020 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID 2020 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 2020 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 2020 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 2020 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 2020 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 2020 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 2020 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1128 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1128 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1128 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1128 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1128 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1128 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1128 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1128 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1128 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1128 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1128 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1128 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ed194a7310eae9620d1b4facfbc33fb246c079.exe"C:\Users\Admin\AppData\Local\Temp\41ed194a7310eae9620d1b4facfbc33fb246c079.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
-
C:\ProgramData\Нлкаи.exe"C:\ProgramData\Нлкаи.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:2020
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E05DABE-CAC9-4A0F-A8CB-AD23375D66C0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2044
-
C:\Users\Admin\AppData\Roaming\HomeLan\Нлкаи.exeC:\Users\Admin\AppData\Roaming\HomeLan\Нлкаи.exe1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Drops file in system dir
- Uses Task Scheduler COM API
PID:1128