35d73010bd70af36a431ced5094fb440b8f9aa06154b260b8f666fa0a951ea9c

General

Target

4fa87ea1426e9d02c0aebe5fdefd03b42cb6640a
Sample

191018-8bvc9711j2
SHA256

35d73010bd70af36a431ced5094fb440b8f9aa06154b260b8f666fa0a951ea9c

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1736	1316	4fa87ea1426e9d02c0aebe5fdefd03b42cb6640a.exe	27
PID 1736 wrote to memory of 1056	1736	оасгз.exe	28
PID 736 wrote to memory of 1144	736	taskeng.exe	30
PID 1144 wrote to memory of 848	1144	оасгз.exe	31

Executes dropped EXE 2 IoCs

pid	Process
1736	оасгз.exe
1144	оасгз.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	848	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	848	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	848	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	848	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	848	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	848	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	848	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	848	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	848	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	848	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	848	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	848	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	848	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\HomeLan\settings.ini	848	svchost.exe

trickbot family
family

Loads dropped DLL 1 IoCs

pid	Process
1316	4fa87ea1426e9d02c0aebe5fdefd03b42cb6640a.exe

C:\Users\Admin\AppData\Local\Temp\4fa87ea1426e9d02c0aebe5fdefd03b42cb6640a.exe
"C:\Users\Admin\AppData\Local\Temp\4fa87ea1426e9d02c0aebe5fdefd03b42cb6640a.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1316

C:\ProgramData\оасгз.exe
"C:\ProgramData\оасгз.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {6C624963-09FD-4288-832D-4271ED626ADA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Roaming\HomeLan\оасгз.exe
C:\Users\Admin\AppData\Roaming\HomeLan\оасгз.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-4-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing