3a5773b76f24e640e21b1cb014c4ee6ebd2cbc05bc7f1c54be6a23aa323cfc45

Analysis

max time kernel
130s
max time network
150s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

fec98b8cdd890124ce5c203a64b38050f5459801
Sample

191018-qj96et9cnj
SHA256

3a5773b76f24e640e21b1cb014c4ee6ebd2cbc05bc7f1c54be6a23aa323cfc45

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4960	4904	fec98b8cdd890124ce5c203a64b38050f5459801.exe	70
PID 4960 wrote to memory of 5048	4960	տարածաշրջանից.exe	72
PID 5104 wrote to memory of 2012	5104	տարածաշրջանից.exe	74

Executes dropped EXE 2 IoCs

pid	Process
4960	տարածաշրջանից.exe
5104	տարածաշրջանից.exe

Uses Task Scheduler COM API 1 TTPs 29 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	5048	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	5048	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	5048	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	5048	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	5048	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	5048	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	5048	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	5048	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	2012	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	2012	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	2012	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	2012	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	2012	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	2012	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	2012	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	2012	svchost.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSf5da856e-017e-4183-ba75-34cc8f0e1883"	1012	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4904	fec98b8cdd890124ce5c203a64b38050f5459801.exe
4960	տարածաշրջանից.exe
5104	տարածաշրջանից.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2012	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

ioc	pid	Process
C:\Users\Admin\AppData\Roaming\netcloud\Data\	2012	svchost.exe

Drops file in system dir 5 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	1012	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1012	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1012	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1012	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1012	svchost.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4720	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4720	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4268	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4268	svchost.exe

trickbot family
family

C:\Users\Admin\AppData\Local\Temp\fec98b8cdd890124ce5c203a64b38050f5459801.exe
"C:\Users\Admin\AppData\Local\Temp\fec98b8cdd890124ce5c203a64b38050f5459801.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4904

C:\ProgramData\տարածաշրջանից.exe
"C:\ProgramData\տարածաշրջանից.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:5048

C:\Users\Admin\AppData\Roaming\netcloud\տարածաշրջանից.exe
C:\Users\Admin\AppData\Roaming\netcloud\տարածաշրջանից.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:2012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in system dir
PID:1012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4720

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:3736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4268

Network

190.152.4.210:449

svchost.exe

198 B
162 B
3
3
52.109.88.37:443

nexus.officeapps.live.com

4.1kB
9.8kB
16
11
52.109.124.19:443

nexusrules.officeapps.live.com

2.2kB
7.0kB
11
6
104.81.140.70:443

fs.microsoft.com

BITS

3.4kB
70.0kB
46
17
104.81.140.70:443

fs.microsoft.com

BITS

3.4kB
71.0kB
46
14
190.152.4.210:449

svchost.exe

198 B
162 B
3
3
127.0.0.1:47001

BITS
104.81.140.70:443

fs.microsoft.com

BITS

4.7kB
87.7kB
59
24
104.81.140.70:443

fs.microsoft.com

BITS

3.4kB
71.1kB
46
16
190.152.4.210:449

198 B
162 B
3
3

10.10.0.255:137

770 B
7
239.255.255.250:1900

SSDPSRV
239.255.255.250:1900

SSDPSRV

1.4kB
8
8.8.8.8:53

nexus.officeapps.live.com

85 B
147 B
1
1

DNS Request

nexus.officeapps.live.com

DNS Response

52.109.88.37
8.8.8.8:53

fs.microsoft.com

76 B
283 B
1
1

DNS Request

fs.microsoft.com

DNS Response

104.81.140.70
10.10.0.29:137

208 B
2
8.8.8.8:53

nexusrules.officeapps.live.com

90 B
155 B
1
1

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.109.124.19

224.0.0.22

62 B
1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1031
T1089

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.