6e25a2f2af3466370503b75f31440d1d48e10b89376f224bd1f4090ba8062710

General

Target

428f9a2b4cbc33879806996a030c02f0e60521b9
Sample

191018-xkfwrmh4f2
SHA256

6e25a2f2af3466370503b75f31440d1d48e10b89376f224bd1f4090ba8062710

Score

N/A

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
300	428f9a2b4cbc33879806996a030c02f0e60521b9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 2024	300	428f9a2b4cbc33879806996a030c02f0e60521b9.exe	27
PID 2024 wrote to memory of 1332	2024	авоор.exe	28
PID 1952 wrote to memory of 1136	1952	taskeng.exe	30
PID 1136 wrote to memory of 1976	1136	авоор.exe	31

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1976	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\netRest\settings.ini	1976	svchost.exe

Modifies system certificate store 2 TTPs 1 IoCs

evasion spyware trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	1976	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
300	428f9a2b4cbc33879806996a030c02f0e60521b9.exe
2024	авоор.exe
1136	авоор.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	авоор.exe
1136	авоор.exe

Uses Task Scheduler COM API 1 TTPs 26 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1332	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1332	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	1332	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1332	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1332	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1332	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1332	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1332	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1332	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1976	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1976	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1976	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1976	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1976	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1976	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1976	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1976	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1976	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1976	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1976	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1976	svchost.exe

Drops file in system dir 20 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Windows\TEMP\CabA784.tmp	1976	svchost.exe
File created (read-only)	C:\Windows\TEMP\TarA795.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\CabA784.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\TarA795.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\CabA784.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\TarA795.tmp	1976	svchost.exe
File created (read-only)	C:\Windows\TEMP\CabA7C5.tmp	1976	svchost.exe
File created (read-only)	C:\Windows\TEMP\TarA7C6.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\CabA7C5.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\TarA7C6.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\CabA7C5.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\TarA7C6.tmp	1976	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	1976	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	1976	svchost.exe
File created (read-only)	C:\Windows\TEMP\CabBD0B.tmp	1976	svchost.exe
File created (read-only)	C:\Windows\TEMP\TarBD0C.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\CabBD0B.tmp	1976	svchost.exe
File opened for modification	C:\Windows\TEMP\TarBD0C.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\CabBD0B.tmp	1976	svchost.exe
File deleted	C:\Windows\Temp\TarBD0C.tmp	1976	svchost.exe

trickbot family
family

C:\Users\Admin\AppData\Local\Temp\428f9a2b4cbc33879806996a030c02f0e60521b9.exe
"C:\Users\Admin\AppData\Local\Temp\428f9a2b4cbc33879806996a030c02f0e60521b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:300

C:\ProgramData\авоор.exe
"C:\ProgramData\авоор.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Uses Task Scheduler COM API
PID:1332

C:\Windows\system32\taskeng.exe
taskeng.exe {FA05A52C-C485-4A05-919C-E12E3B26FA59} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\netRest\авоор.exe
C:\Users\Admin\AppData\Roaming\netRest\авоор.exe
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Trickbot persistence files
- Modifies system certificate store
- Uses Task Scheduler COM API
- Drops file in system dir
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1130

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-4-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing