52e472778acc393299cfcdfcec641895b464770da12c3d0cf2e4430201815241

General

Target

f0a6bef71d57feee7c036899edc337bc1fb69160
Sample

191018-tfbpyxqage
SHA256

52e472778acc393299cfcdfcec641895b464770da12c3d0cf2e4430201815241

Score

N/A

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1896	f0a6bef71d57feee7c036899edc337bc1fb69160.exe
1912	그다수특리고있즐래.exe
1100	그다수특리고있즐래.exe

Loads dropped DLL 1 IoCs

pid	Process
1896	f0a6bef71d57feee7c036899edc337bc1fb69160.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1912	1896	f0a6bef71d57feee7c036899edc337bc1fb69160.exe	26
PID 1912 wrote to memory of 840	1912	그다수특리고있즐래.exe	27
PID 1260 wrote to memory of 1100	1260	taskeng.exe	29
PID 1100 wrote to memory of 1960	1100	그다수특리고있즐래.exe	30

Executes dropped EXE 2 IoCs

pid	Process
1912	그다수특리고있즐래.exe
1100	그다수특리고있즐래.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	840	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	840	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	840	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	840	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	840	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1960	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1960	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1960	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1960	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1960	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1960	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1960	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1960	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1960	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1960	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1960	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1960	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1960	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe
"C:\Users\Admin\AppData\Local\Temp\f0a6bef71d57feee7c036899edc337bc1fb69160.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\ProgramData\그다수특리고있즐래.exe
"C:\ProgramData\그다수특리고있즐래.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:840

C:\Windows\system32\taskeng.exe
taskeng.exe {F1958DC2-CBFC-463D-929B-118965EF2F8B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exe
C:\Users\Admin\AppData\Roaming\netcloud\그다수특리고있즐래.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-4-0x0000000000540000-0x000000000056D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing