0544789e0e878b3e32334ad2119e39a7fa2e6ae3f3cd5c11f3bc53a24311053d

General

Target

9957fe40ae9a7a2630593fd82544d4ea39ca47d7
Sample

191018-pjatzgm2xn
SHA256

0544789e0e878b3e32334ad2119e39a7fa2e6ae3f3cd5c11f3bc53a24311053d

Score

N/A

Malware Config

Signatures

Trickbot persistence files 1 IoCs
trojan banker

Processes:

svchost.exe

description ioc pid process

File created C:\Users\Admin\AppData\Roaming\netcloud\settings.ini 1948 svchost.exe
trickbot family
family
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exeСмЛДВыуцЩЗ.exeСмЛДВыуцЩЗ.exe

pid process

1380 9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe
1336 СмЛДВыуцЩЗ.exe
2040 СмЛДВыуцЩЗ.exe
Loads dropped DLL 1 IoCs

Processes:

9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe

pid process

1380 9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe

description	ioc	pid	process
File created	C:\Users\Admin\AppData\Roaming\netcloud\settings.ini	1948	svchost.exe

pid	process
1380	9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe
1336	СмЛДВыуцЩЗ.exe
2040	СмЛДВыуцЩЗ.exe

pid	process
1380	9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exeСмЛДВыуцЩЗ.exetaskeng.exeСмЛДВыуцЩЗ.exe

description	pid	process	target process
PID 1380 wrote to memory of 1336	1380	9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe	СмЛДВыуцЩЗ.exe
PID 1336 wrote to memory of 1056	1336	СмЛДВыуцЩЗ.exe	svchost.exe
PID 1988 wrote to memory of 2040	1988	taskeng.exe	СмЛДВыуцЩЗ.exe
PID 2040 wrote to memory of 1948	2040	СмЛДВыуцЩЗ.exe	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

СмЛДВыуцЩЗ.exeСмЛДВыуцЩЗ.exe

pid process

1336 СмЛДВыуцЩЗ.exe
2040 СмЛДВыуцЩЗ.exe

pid	process
1336	СмЛДВыуцЩЗ.exe
2040	СмЛДВыуцЩЗ.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

Processes:

svchost.exesvchost.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1056	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1056	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1948	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1948	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1948	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1948	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1948	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1948	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1948	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1948	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1948	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1948	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1948	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1948	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1948 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1948	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe
"C:\Users\Admin\AppData\Local\Temp\9957fe40ae9a7a2630593fd82544d4ea39ca47d7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\ProgramData\СмЛДВыуцЩЗ.exe
"C:\ProgramData\СмЛДВыуцЩЗ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {6C624963-09FD-4288-832D-4271ED626ADA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\netcloud\СмЛДВыуцЩЗ.exe
C:\Users\Admin\AppData\Roaming\netcloud\СмЛДВыуцЩЗ.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Trickbot persistence files
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\СмЛДВыуцЩЗ.exe

Download Submit
C:\ProgramData\СмЛДВыуцЩЗ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\СмЛДВыуцЩЗ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\СмЛДВыуцЩЗ.exe

Download Submit
\ProgramData\СмЛДВыуцЩЗ.exe

Download Submit
\ProgramData\СмЛДВыуцЩЗ.exe

Download Submit

Analysis

Sharing