trickbot | b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48

General

Target

b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
Size

368KB
MD5

a521b03af94451e2386e0c2033d82870
SHA1

2d34af6a73c3584506ba49171f47fd69f2d23ca1
SHA256

b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48
SHA512

dfc22c79a5888e5095566e81faf6903f54c9e995e8d2aa3018416273bbcf13dbe8bc5cda7c6135933a1992097fc07938eeaea427093a82d64d74551c4cbf323c
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qF:emSuOcHmnYhrDMTrban4qF

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/856-1-0x00000000001B0000-0x00000000001D9000-memory.dmp	trickbot_loader32
behavioral1/memory/856-7-0x00000000001B0000-0x00000000001D9000-memory.dmp	trickbot_loader32
behavioral1/memory/1976-10-0x00000000002C0000-0x00000000002E9000-memory.dmp	trickbot_loader32
behavioral1/memory/1976-20-0x00000000002C0000-0x00000000002E9000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

Processes:

b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exeb7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe

pid	process
1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
1768	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe

Loads dropped DLL 1 IoCs

Processes:

b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe

pid process

856 b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2288 powershell.exe
2844 powershell.exe

pid	process
2288	powershell.exe
2844	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2192 sc.exe
2136 sc.exe
2704 sc.exe
2108 sc.exe

pid	process
2192	sc.exe
2136	sc.exe
2704	sc.exe
2108	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.execmd.execmd.exepowershell.exeb7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exesc.execmd.exesc.exesc.exepowershell.exesc.exeb6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exeb7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exepowershell.exepowershell.exe

pid	process
856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
2844	powershell.exe
2288	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeb7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe

description	pid	process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeTcbPrivilege	1768	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.execmd.execmd.execmd.exeb7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 2624	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2624	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2624	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2624	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2096	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2096	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2096	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2096	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2488	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2488	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2488	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 2488	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	cmd.exe
PID 856 wrote to memory of 1976	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
PID 856 wrote to memory of 1976	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
PID 856 wrote to memory of 1976	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
PID 856 wrote to memory of 1976	856	b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
PID 2624 wrote to memory of 2192	2624	cmd.exe	sc.exe
PID 2624 wrote to memory of 2192	2624	cmd.exe	sc.exe
PID 2624 wrote to memory of 2192	2624	cmd.exe	sc.exe
PID 2624 wrote to memory of 2192	2624	cmd.exe	sc.exe
PID 2096 wrote to memory of 2136	2096	cmd.exe	sc.exe
PID 2096 wrote to memory of 2136	2096	cmd.exe	sc.exe
PID 2096 wrote to memory of 2136	2096	cmd.exe	sc.exe
PID 2096 wrote to memory of 2136	2096	cmd.exe	sc.exe
PID 2488 wrote to memory of 2288	2488	cmd.exe	powershell.exe
PID 2488 wrote to memory of 2288	2488	cmd.exe	powershell.exe
PID 2488 wrote to memory of 2288	2488	cmd.exe	powershell.exe
PID 2488 wrote to memory of 2288	2488	cmd.exe	powershell.exe
PID 1976 wrote to memory of 2648	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2648	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2648	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2648	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2684	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2684	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2684	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2684	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2784	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2784	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2784	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2784	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	cmd.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 1976 wrote to memory of 2828	1976	b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe	svchost.exe
PID 2648 wrote to memory of 2704	2648	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe
"C:\Users\Admin\AppData\Local\Temp\b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Users\Admin\AppData\Roaming\WNetval\b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2828

C:\Windows\system32\taskeng.exe
taskeng.exe {B47C159A-3C41-4B1D-96BE-7AEAF680A235} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1624
- C:\Users\Admin\AppData\Roaming\WNetval\b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
  C:\Users\Admin\AppData\Roaming\WNetval\b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9

Filesize
1KB

MD5
b8dc6a1e8ed7233b64b91366c0ec1555

SHA1
03091c009ee41524b1985302e5b6bf9e721d30fc

SHA256
51227c6de2fb8617837e6063b751da8ab43dc85a3244d50afdfa547e11335e28

SHA512
090915242c1813530c46abaa01f73a4ca1d7181e7c0842d96e4dfa53b9f9e37fd0679225b06f8c81da26ea1888db9268c44c4e0918863c8f391d49a8b254957f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6c8bb1e1b40f9132028fd4c2827b1e85

SHA1
2436c8761ba2260675b6194c277e8d67cfaa2d5e

SHA256
689c9bf5782ace843b47f80349965c3d019a903a3d053576aac64ab75755f05b

SHA512
963d8bd26b327cb8ddedacdcd50cd4068715da707ebd5a7bc8a93c7ace5f63f74fc4a460416f6bb887f4077b5566188c43a76bc33101b06a0930e0d5257a5db5

Download Submit
\Users\Admin\AppData\Roaming\WNetval\b7a249932bdad06c21b2f940bd1aef0ba1d4e977c0f7f8d9b2fd2a30a2824f49N.exe

Filesize
368KB

MD5
a521b03af94451e2386e0c2033d82870

SHA1
2d34af6a73c3584506ba49171f47fd69f2d23ca1

SHA256
b6a248932bdad05c21b2f940bd1aef0ba1d4e866c0f6f7d8b2fd2a30a2724f48

SHA512
dfc22c79a5888e5095566e81faf6903f54c9e995e8d2aa3018416273bbcf13dbe8bc5cda7c6135933a1992097fc07938eeaea427093a82d64d74551c4cbf323c

Download Submit
memory/856-1-0x00000000001B0000-0x00000000001D9000-memory.dmp

Filesize
164KB

Download
memory/856-7-0x00000000001B0000-0x00000000001D9000-memory.dmp

Filesize
164KB

Download
memory/1976-10-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/1976-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1976-20-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/1976-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2828-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2828-15-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads