Analysis
-
max time kernel
129s -
max time network
145s -
resource
win7v191014
Task
task1
Sample
ecf315df8321b5bee5395cff7add2206d385dab0.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
ecf315df8321b5bee5395cff7add2206d385dab0.exe
Resource
win10v191014
0 signatures
General
-
Target
ecf315df8321b5bee5395cff7add2206d385dab0
-
Sample
191018-tgvqksr3x6
-
SHA256
1a99aa6e1384825cc743edcded40b73c73eea21e0d965c8ac38361291d6f7373
Score
N/A
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1516 ecf315df8321b5bee5395cff7add2206d385dab0.exe 1616 АФВЧсуРНЛщ.exe 1012 АФВЧсуРНЛщ.exe -
Loads dropped DLL 1 IoCs
pid Process 1516 ecf315df8321b5bee5395cff7add2206d385dab0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1516 wrote to memory of 1616 1516 ecf315df8321b5bee5395cff7add2206d385dab0.exe 26 PID 1616 wrote to memory of 1084 1616 АФВЧсуРНЛщ.exe 27 PID 2040 wrote to memory of 1012 2040 taskeng.exe 29 PID 1012 wrote to memory of 1172 1012 АФВЧсуРНЛщ.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 1616 АФВЧсуРНЛщ.exe 1012 АФВЧсуРНЛщ.exe -
Uses Task Scheduler COM API 1 TTPs 26 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1084 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1084 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID 1084 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1084 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1084 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1084 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1084 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1084 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1084 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1172 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1172 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1172 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1172 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1172 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1172 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1172 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1172 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1172 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1172 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1172 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1172 svchost.exe -
description ioc pid Process File created C:\Users\Admin\AppData\Roaming\iCloud\settings.ini 1172 svchost.exe -
trickbot family
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecf315df8321b5bee5395cff7add2206d385dab0.exe"C:\Users\Admin\AppData\Local\Temp\ecf315df8321b5bee5395cff7add2206d385dab0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516
-
C:\ProgramData\АФВЧсуРНЛщ.exe"C:\ProgramData\АФВЧсуРНЛщ.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:1084
-
C:\Windows\system32\taskeng.exetaskeng.exe {97899908-3519-4CAA-836D-305B41261055} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2040
-
C:\Users\Admin\AppData\Roaming\iCloud\АФВЧсуРНЛщ.exeC:\Users\Admin\AppData\Roaming\iCloud\АФВЧсуРНЛщ.exe1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:1172