Analysis
-
max time kernel
131s -
max time network
147s -
resource
win7v191014
Task
task1
Sample
36c09a576e35a70e5400c545c19f3ad5420e4c33.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
36c09a576e35a70e5400c545c19f3ad5420e4c33.exe
Resource
win10v191014
0 signatures
General
-
Target
36c09a576e35a70e5400c545c19f3ad5420e4c33
-
Sample
191018-j1rn7h112e
-
SHA256
541852f64b1d45aa7fd0cfb6b14eb67c709f6da3514803aef0a8c8409153ced7
Score
N/A
Malware Config
Signatures
-
Uses Task Scheduler COM API 1 TTPs 26 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1988 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1988 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID 1988 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1988 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1988 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1988 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1988 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1988 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1988 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 2032 svchost.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 2032 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 2032 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 2032 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 2032 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 2032 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 2032 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 2032 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 2032 svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 2032 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 2032 svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 2032 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 2032 svchost.exe -
description ioc pid Process File created C:\Users\Admin\AppData\Roaming\iCloud\settings.ini 2032 svchost.exe -
trickbot family
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1612 36c09a576e35a70e5400c545c19f3ad5420e4c33.exe 1808 МиПеЛЩВыСи.exe 756 МиПеЛЩВыСи.exe -
Loads dropped DLL 1 IoCs
pid Process 1612 36c09a576e35a70e5400c545c19f3ad5420e4c33.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1808 1612 36c09a576e35a70e5400c545c19f3ad5420e4c33.exe 26 PID 1808 wrote to memory of 1988 1808 МиПеЛЩВыСи.exe 27 PID 1216 wrote to memory of 756 1216 taskeng.exe 29 PID 756 wrote to memory of 2032 756 МиПеЛЩВыСи.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 1808 МиПеЛЩВыСи.exe 756 МиПеЛЩВыСи.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c09a576e35a70e5400c545c19f3ad5420e4c33.exe"C:\Users\Admin\AppData\Local\Temp\36c09a576e35a70e5400c545c19f3ad5420e4c33.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
-
C:\ProgramData\МиПеЛЩВыСи.exe"C:\ProgramData\МиПеЛЩВыСи.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
PID:1988
-
C:\Windows\system32\taskeng.exetaskeng.exe {725DEC24-6316-4B29-8EDC-C8E24EA2272F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1216
-
C:\Users\Admin\AppData\Roaming\iCloud\МиПеЛЩВыСи.exeC:\Users\Admin\AppData\Roaming\iCloud\МиПеЛЩВыСи.exe1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
PID:2032