eb54385986e592ccfba2276d97f653a1bf9e14acf34176e823f5a8f2da3df1b5

General

Target

2eb72c4993a981c9480427c83338105bcd0d863d
Sample

191018-m9ktjhnaq6
SHA256

eb54385986e592ccfba2276d97f653a1bf9e14acf34176e823f5a8f2da3df1b5

Score

N/A

Malware Config

Signatures

trickbot family
family

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1988	1796	2eb72c4993a981c9480427c83338105bcd0d863d.exe	27
PID 856 wrote to memory of 1460	856	taskeng.exe	29
PID 1460 wrote to memory of 840	1460	2eb92c4993a981c9480429c83338107bcd0d883d.exe	30

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1988	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1988	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1988	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1988	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1988	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1988	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1988	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1988	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1988	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	840	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	840	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	2eb92c4993a981c9480429c83338107bcd0d883d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	840	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\netcloud\settings.ini	840	svchost.exe

Drops file in system dir 20 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Windows\TEMP\Cab8D50.tmp	840	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar8D51.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab8D50.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar8D51.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\Cab8D50.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\Tar8D51.tmp	840	svchost.exe
File created (read-only)	C:\Windows\TEMP\Cab8DDF.tmp	840	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar8DE0.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab8DDF.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar8DE0.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\Cab8DDF.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\Tar8DE0.tmp	840	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	840	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	840	svchost.exe
File created (read-only)	C:\Windows\TEMP\CabA315.tmp	840	svchost.exe
File created (read-only)	C:\Windows\TEMP\TarA316.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\CabA315.tmp	840	svchost.exe
File opened for modification	C:\Windows\TEMP\TarA316.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\CabA315.tmp	840	svchost.exe
File deleted	C:\Windows\Temp\TarA316.tmp	840	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2eb72c4993a981c9480427c83338105bcd0d863d.exe
"C:\Users\Admin\AppData\Local\Temp\2eb72c4993a981c9480427c83338105bcd0d863d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1988

C:\Windows\system32\taskeng.exe
taskeng.exe {275A25C1-F65C-4FD2-A1CA-AFE577255668} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\netcloud\2eb92c4993a981c9480429c83338107bcd0d883d.exe
C:\Users\Admin\AppData\Roaming\netcloud\2eb92c4993a981c9480429c83338107bcd0d883d.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Drops file in system dir
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-0-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing