Analysis
-
max time kernel
126s -
max time network
137s -
resource
win7v191014
Task
task1
Sample
3ab810973efe13af16639485547817bf1a84bb84.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
3ab810973efe13af16639485547817bf1a84bb84.exe
Resource
win10v191014
0 signatures
General
-
Target
3ab810973efe13af16639485547817bf1a84bb84
-
Sample
191018-hqb4vww18x
-
SHA256
16eecff3664f44f07c5c32367f1b87b7f659181a6530a9c3a50c57879a4ce9b7
Score
N/A
Malware Config
Signatures
-
Uses Task Scheduler COM API 1 TTPs 26 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1312 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1312 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID 1312 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1312 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1312 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1312 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1312 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1312 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1312 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 316 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 316 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 316 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 316 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 316 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 316 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 316 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 316 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 316 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 316 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 316 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 316 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 316 svchost.exe -
description ioc pid Process File created C:\Users\Admin\AppData\Roaming\netRest\settings.ini 316 svchost.exe -
trickbot family
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1948 3ab810973efe13af16639485547817bf1a84bb84.exe 1260 انيلئرأئكتلمن.exe 2012 انيلئرأئكتلمن.exe -
Loads dropped DLL 1 IoCs
pid Process 1948 3ab810973efe13af16639485547817bf1a84bb84.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1260 1948 3ab810973efe13af16639485547817bf1a84bb84.exe 26 PID 1260 wrote to memory of 1312 1260 انيلئرأئكتلمن.exe 27 PID 1120 wrote to memory of 2012 1120 taskeng.exe 29 PID 2012 wrote to memory of 316 2012 انيلئرأئكتلمن.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 1260 انيلئرأئكتلمن.exe 2012 انيلئرأئكتلمن.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab810973efe13af16639485547817bf1a84bb84.exe"C:\Users\Admin\AppData\Local\Temp\3ab810973efe13af16639485547817bf1a84bb84.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
-
C:\ProgramData\انيلئرأئكتلمن.exe"C:\ProgramData\انيلئرأئكتلمن.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:1312
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA0341DC-1AD3-4E55-B776-87E55DFDEBD0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1120
-
C:\Users\Admin\AppData\Roaming\netRest\انيلئرأئكتلمن.exeC:\Users\Admin\AppData\Roaming\netRest\انيلئرأئكتلمن.exe1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:316