Analysis

  • max time kernel
    105s
  • max time network
    150s
  • resource
    win10v191014

General

  • Target

    f0a6bef71d57feee7c036899edc337bc1fb69160

  • Sample

    191018-tfbpyxqage

  • SHA256

    52e472778acc393299cfcdfcec641895b464770da12c3d0cf2e4430201815241

Score
N/A

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Drops file in system dir 3 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Trickbot persistence files 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs 29 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • trickbot family

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe
    "C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4804
  • C:\ProgramData\그다수특리고있즐래.exe
    "C:\ProgramData\그다수특리고있즐래.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4916
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    PID:4944
  • C:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exe
    C:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5004
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Modifies service
    • Drops file in system dir
    PID:5060
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    1⤵
      PID:380
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
      1⤵
      • Checks system information in the registry (likely anti-VM)
      PID:4548
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
      1⤵
      • Windows security modification
      PID:4244
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup
      1⤵
        PID:4176
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Trickbot persistence files
        • Uses Task Scheduler COM API
        PID:4104

      Network

      MITRE ATT&CK Enterprise v15

      MITRE ATT&CK Additional techniques

      • T1031
      • T1089

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4916-2-0x0000000003710000-0x000000000373D000-memory.dmp

        Filesize

        180KB