343d223fc1337edd9e8af65cda88fc6a616c9a16c7c11598675ed8b07cb7d790

General

Target

41ed194a7310eae9620d1b4facfbc33fb246c079
Sample

191018-h4wh8mye46
SHA256

343d223fc1337edd9e8af65cda88fc6a616c9a16c7c11598675ed8b07cb7d790

Score

N/A

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1128	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\HomeLan\settings.ini	1128	svchost.exe

Drops file in system dir 12 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Windows\TEMP\Cab9A6A.tmp	1128	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar9A6B.tmp	1128	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab9A6A.tmp	1128	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar9A6B.tmp	1128	svchost.exe
File deleted	C:\Windows\Temp\Cab9A6A.tmp	1128	svchost.exe
File deleted	C:\Windows\Temp\Tar9A6B.tmp	1128	svchost.exe
File created (read-only)	C:\Windows\TEMP\Cab9AAB.tmp	1128	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar9AAC.tmp	1128	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab9AAB.tmp	1128	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar9AAC.tmp	1128	svchost.exe
File deleted	C:\Windows\Temp\Cab9AAB.tmp	1128	svchost.exe
File deleted	C:\Windows\Temp\Tar9AAC.tmp	1128	svchost.exe

trickbot family
family

Loads dropped DLL 1 IoCs

pid	Process
1412	41ed194a7310eae9620d1b4facfbc33fb246c079.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1108	1412	41ed194a7310eae9620d1b4facfbc33fb246c079.exe	26
PID 1108 wrote to memory of 2020	1108	Нлкаи.exe	27
PID 2044 wrote to memory of 840	2044	taskeng.exe	29
PID 840 wrote to memory of 1128	840	Нлкаи.exe	30

Executes dropped EXE 2 IoCs

pid	Process
1108	Нлкаи.exe
840	Нлкаи.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	2020	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	2020	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	2020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	2020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	2020	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	2020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	2020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	2020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	2020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1128	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1128	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1128	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1128	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1128	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1128	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1128	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1128	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1128	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1128	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1128	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1128	svchost.exe

C:\Users\Admin\AppData\Local\Temp\41ed194a7310eae9620d1b4facfbc33fb246c079.exe
"C:\Users\Admin\AppData\Local\Temp\41ed194a7310eae9620d1b4facfbc33fb246c079.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\ProgramData\Нлкаи.exe
"C:\ProgramData\Нлкаи.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {3E05DABE-CAC9-4A0F-A8CB-AD23375D66C0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\HomeLan\Нлкаи.exe
C:\Users\Admin\AppData\Roaming\HomeLan\Нлкаи.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Drops file in system dir
- Uses Task Scheduler COM API
PID:1128

Network

No results found

194.5.250.82:443

194 B
162 B
3
3
190.13.160.19:449

svchost.exe

523 B
1.6kB
5
4
194.5.250.82:443

svchost.exe

194 B
162 B
3
3
194.5.250.82:443

svchost.exe

194 B
162 B
3
3

224.0.0.252:5355

128 B
2
224.0.0.252:5355

132 B
2
224.0.0.252:5355

132 B
2
224.0.0.252:5355

128 B
2
10.7.0.255:137

1.9kB
20
224.0.0.252:5355

132 B
2
239.255.255.250:1900

1.1kB
6
239.255.255.250:1900

224.0.0.22

180 B
3

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-4-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing