bbef4b3dd5c38980d54261ecc4220545f428a71c3238893e12458b2608de2c9d

General

Target

b70119e477f01a901a14a0378ced471f93cee7f6
Sample

191018-n76fe2empj
SHA256

bbef4b3dd5c38980d54261ecc4220545f428a71c3238893e12458b2608de2c9d

Score

N/A

Malware Config

Signatures

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

Processes:

svchost.exesvchost.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1160	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1160	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1160	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1160	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1160	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1160	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1160	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1160	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1160	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	2044	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	2044	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	2044	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	2044	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	2044	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	2044	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	2044	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	2044	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	2044	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	2044	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	2044	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	2044	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 2044 svchost.exe
Trickbot persistence files 1 IoCs
trojan banker

Processes:

svchost.exe

description ioc pid process

File created C:\Users\Admin\AppData\Roaming\netcloud\settings.ini 2044 svchost.exe

description	pid	process
Token: SeTcbPrivilege	2044	svchost.exe

description	ioc	pid	process
File created	C:\Users\Admin\AppData\Roaming\netcloud\settings.ini	2044	svchost.exe

Drops file in system dir 20 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File created (read-only)	C:\Windows\TEMP\Cab9CEA.tmp	2044	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar9CEB.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab9CEA.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar9CEB.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\Cab9CEA.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\Tar9CEB.tmp	2044	svchost.exe
File created (read-only)	C:\Windows\TEMP\Cab9CFB.tmp	2044	svchost.exe
File created (read-only)	C:\Windows\TEMP\Tar9CFC.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\Cab9CFB.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\Tar9CFC.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\Cab9CFB.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\Tar9CFC.tmp	2044	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	2044	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	2044	svchost.exe
File created (read-only)	C:\Windows\TEMP\CabB1D5.tmp	2044	svchost.exe
File created (read-only)	C:\Windows\TEMP\TarB1D6.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\CabB1D5.tmp	2044	svchost.exe
File opened for modification	C:\Windows\TEMP\TarB1D6.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\CabB1D5.tmp	2044	svchost.exe
File deleted	C:\Windows\Temp\TarB1D6.tmp	2044	svchost.exe

trickbot family
family
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b70119e477f01a901a14a0378ced471f93cee7f6.exeՕգտագործելով.exeՕգտագործելով.exe

pid process

1368 b70119e477f01a901a14a0378ced471f93cee7f6.exe
1092 Օգտագործելով.exe
1816 Օգտագործելով.exe
Loads dropped DLL 1 IoCs

Processes:

b70119e477f01a901a14a0378ced471f93cee7f6.exe

pid process

1368 b70119e477f01a901a14a0378ced471f93cee7f6.exe

pid	process
1368	b70119e477f01a901a14a0378ced471f93cee7f6.exe
1092	Օգտագործելով.exe
1816	Օգտագործելով.exe

pid	process
1368	b70119e477f01a901a14a0378ced471f93cee7f6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b70119e477f01a901a14a0378ced471f93cee7f6.exeՕգտագործելով.exetaskeng.exeՕգտագործելով.exe

description	pid	process	target process
PID 1368 wrote to memory of 1092	1368	b70119e477f01a901a14a0378ced471f93cee7f6.exe	Օգտագործելով.exe
PID 1092 wrote to memory of 1160	1092	Օգտագործելով.exe	svchost.exe
PID 816 wrote to memory of 1816	816	taskeng.exe	Օգտագործելով.exe
PID 1816 wrote to memory of 2044	1816	Օգտագործելով.exe	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

Օգտագործելով.exeՕգտագործելով.exe

pid process

1092 Օգտագործելով.exe
1816 Օգտագործելով.exe

pid	process
1092	Օգտագործելով.exe
1816	Օգտագործելով.exe

C:\Users\Admin\AppData\Local\Temp\b70119e477f01a901a14a0378ced471f93cee7f6.exe
"C:\Users\Admin\AppData\Local\Temp\b70119e477f01a901a14a0378ced471f93cee7f6.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\ProgramData\Օգտագործելով.exe
"C:\ProgramData\Օգտագործելով.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1160

C:\Windows\system32\taskeng.exe
taskeng.exe {4D2D170B-D071-449D-B167-3B8D77EF3994} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Drops file in system dir
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Օգտագործելով.exe

Download Submit
C:\ProgramData\Օգտագործելով.exe

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\Օգտագործելով.exe

Download Submit
\ProgramData\Օգտագործելով.exe

Download Submit
\ProgramData\Օգտագործելով.exe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads