Analysis

  • max time kernel
    131s
  • max time network
    147s
  • resource
    win7v191014

General

  • Target

    36c09a576e35a70e5400c545c19f3ad5420e4c33

  • Sample

    191018-j1rn7h112e

  • SHA256

    541852f64b1d45aa7fd0cfb6b14eb67c709f6da3514803aef0a8c8409153ced7

Score
N/A

Malware Config

Signatures

  • Uses Task Scheduler COM API 1 TTPs 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Trickbot persistence files 1 IoCs
  • trickbot family
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36c09a576e35a70e5400c545c19f3ad5420e4c33.exe
    "C:\Users\Admin\AppData\Local\Temp\36c09a576e35a70e5400c545c19f3ad5420e4c33.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1612
  • C:\ProgramData\МиПеЛЩВыСи.exe
    "C:\ProgramData\МиПеЛЩВыСи.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1808
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    PID:1988
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {725DEC24-6316-4B29-8EDC-C8E24EA2272F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1216
  • C:\Users\Admin\AppData\Roaming\iCloud\МиПеЛЩВыСи.exe
    C:\Users\Admin\AppData\Roaming\iCloud\МиПеЛЩВыСи.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:756
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    • Suspicious use of AdjustPrivilegeToken
    • Trickbot persistence files
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads