Analysis
-
max time kernel
105s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
f0a6bef71d57feee7c036899edc337bc1fb69160.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
f0a6bef71d57feee7c036899edc337bc1fb69160.exe
Resource
win10v191014
0 signatures
General
-
Target
f0a6bef71d57feee7c036899edc337bc1fb69160
-
Sample
191018-tfbpyxqage
-
SHA256
52e472778acc393299cfcdfcec641895b464770da12c3d0cf2e4430201815241
Score
N/A
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4916 그다수특리고있즐래.exe 5004 그다수특리고있즐래.exe -
Modifies service 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITS433e73b4-7a7f-4377-a90c-03e5e332b6a9" 5060 svchost.exe -
Drops file in system dir 3 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 5060 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 5060 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 5060 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4548 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4548 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 4104 svchost.exe -
ioc pid Process C:\Users\Admin\AppData\Roaming\netcloud\Data\ 4104 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4804 f0a6bef71d57feee7c036899edc337bc1fb69160.exe 4916 그다수특리고있즐래.exe 5004 그다수특리고있즐래.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4804 wrote to memory of 4916 4804 f0a6bef71d57feee7c036899edc337bc1fb69160.exe 71 PID 4916 wrote to memory of 4944 4916 그다수특리고있즐래.exe 72 PID 5004 wrote to memory of 4104 5004 그다수특리고있즐래.exe 82 -
Uses Task Scheduler COM API 1 TTPs 29 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 4944 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 4944 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 4944 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 4104 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 4104 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 4104 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4244 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4244 svchost.exe -
trickbot family
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe"C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804
-
C:\ProgramData\그다수특리고있즐래.exe"C:\ProgramData\그다수특리고있즐래.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:4944
-
C:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exeC:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Modifies service
- Drops file in system dir
PID:5060
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:380
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4548
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4244
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Uses Task Scheduler COM API
PID:4104
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1031
- T1089