7c06d1f53ccc14d4548b595f7c9afddf07be9c7a799e7a55a671cdf95e27bdca

General

Target

1aea1121475df57b5802c84583c4dc89500baa75
Sample

191018-5prbh9aams
SHA256

7c06d1f53ccc14d4548b595f7c9afddf07be9c7a799e7a55a671cdf95e27bdca

Score

N/A

Malware Config

Signatures

trickbot family
family

Loads dropped DLL 1 IoCs

pid	Process
1392	1aea1121475df57b5802c84583c4dc89500baa75.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1112	1392	1aea1121475df57b5802c84583c4dc89500baa75.exe	27
PID 1112 wrote to memory of 1996	1112	هلحهحللمحجأراصحألكأظلأا.exe	28
PID 828 wrote to memory of 848	828	taskeng.exe	30
PID 848 wrote to memory of 1284	848	هلحهحللمحجأراصحألكأظلأا.exe	31

Executes dropped EXE 2 IoCs

pid	Process
1112	هلحهحللمحجأراصحألكأظلأا.exe
848	هلحهحللمحجأراصحألكأظلأا.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1996	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1996	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1996	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1996	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1996	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1996	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1996	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1996	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1996	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1284	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1284	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1284	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1284	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1284	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1284	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1284	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1284	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1284	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1284	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1284	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1284	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1284	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\netcloud\settings.ini	1284	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1aea1121475df57b5802c84583c4dc89500baa75.exe
"C:\Users\Admin\AppData\Local\Temp\1aea1121475df57b5802c84583c4dc89500baa75.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392

C:\ProgramData\هلحهحللمحجأراصحألكأظلأا.exe
"C:\ProgramData\هلحهحللمحجأراصحألكأظلأا.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1996

C:\Windows\system32\taskeng.exe
taskeng.exe {C251180F-42A9-4489-BD86-73361522CB3E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\netcloud\هلحهحللمحجأراصحألكأظلأا.exe
C:\Users\Admin\AppData\Roaming\netcloud\هلحهحللمحجأراصحألكأظلأا.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-3-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing