Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b70119e477f01a901a14a0378ced471f93cee7f6

  • Sample

    191018-n76fe2empj

  • SHA256

    bbef4b3dd5c38980d54261ecc4220545f428a71c3238893e12458b2608de2c9d

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • trickbot family
    family
  • Drops file in system dir 5 IoCs
  • Trickbot persistence files 1 IoCs
    trojanbanker
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs 29 IoCs
    persistence
  • Modifies service 2 TTPs 1 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b70119e477f01a901a14a0378ced471f93cee7f6.exe
    "C:\Users\Admin\AppData\Local\Temp\b70119e477f01a901a14a0378ced471f93cee7f6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    PID:4968
  • C:\ProgramData\Օգտագործելով.exe
    "C:\ProgramData\Օգտագործելով.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:5096
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    PID:4276
  • C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
    C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:1920
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Drops file in system dir
    • Modifies service
    PID:2692
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    1⤵
      PID:3136
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Trickbot persistence files
      • Uses Task Scheduler COM API
      PID:3332
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
      1⤵
      • Checks system information in the registry (likely anti-VM)
      PID:4424
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup
      1⤵
        PID:4324
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
        1⤵
        • Windows security modification
        PID:4180

      Network

      MITRE ATT&CK Enterprise v15

      MITRE ATT&CK Additional techniques

      • T1089
      • T1031

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Օգտագործելով.exe
        Download Submit

      • C:\ProgramData\Օգտագործելով.exe
        Download Submit

      • C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
        Download Submit

      • C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
        Download Submit