Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 22:25
Behavioral task
behavioral1
Sample
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe
Resource
win7-20240419-en
General
-
Target
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe
-
Size
1.0MB
-
MD5
89aebd087e215625a9a8ef611af8b115
-
SHA1
6bf4655bb38e4902a4b401fcd8db88cffcfffbcb
-
SHA256
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc
-
SHA512
addbafb7c0b816c823472f9234ac1761ad17fdf7c04552b7e609db5925092babfc9e35e41ff88becbf7115dda748bc9594b17b28011b7549a9336c521af474de
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ9skQ6:E5aIwC+Agr6SNbf
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/3024-15-0x00000000003C0000-0x00000000003E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exepid process 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 908 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Loads dropped DLL 2 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exepid process 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2876 sc.exe 2548 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exepowershell.exepid process 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 2432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exedescription pid process Token: SeDebugPrivilege 2432 powershell.exe Token: SeTcbPrivilege 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe Token: SeTcbPrivilege 908 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exepid process 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 908 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.execmd.execmd.execmd.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exetaskeng.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exedescription pid process target process PID 3024 wrote to memory of 3060 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 3060 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 3060 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 3060 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2616 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2616 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2616 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2616 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2172 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2172 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2172 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2172 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe cmd.exe PID 3024 wrote to memory of 2744 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3024 wrote to memory of 2744 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3024 wrote to memory of 2744 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3024 wrote to memory of 2744 3024 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3060 wrote to memory of 2548 3060 cmd.exe sc.exe PID 3060 wrote to memory of 2548 3060 cmd.exe sc.exe PID 3060 wrote to memory of 2548 3060 cmd.exe sc.exe PID 3060 wrote to memory of 2548 3060 cmd.exe sc.exe PID 2616 wrote to memory of 2876 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2876 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2876 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2876 2616 cmd.exe sc.exe PID 2172 wrote to memory of 2432 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 2432 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 2432 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 2432 2172 cmd.exe powershell.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2744 wrote to memory of 2580 2744 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2764 wrote to memory of 2488 2764 taskeng.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 2764 wrote to memory of 2488 2764 taskeng.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 2764 wrote to memory of 2488 2764 taskeng.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 2764 wrote to memory of 2488 2764 taskeng.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 2488 wrote to memory of 2244 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2488 wrote to memory of 2244 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2488 wrote to memory of 2244 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2488 wrote to memory of 2244 2488 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe"C:\Users\Admin\AppData\Local\Temp\5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2548 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2876 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2580
-
C:\Windows\system32\taskeng.exetaskeng.exe {9D201EE3-22BC-417D-A411-D39288A9C915} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2244
-
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe
Filesize1.0MB
MD589aebd087e215625a9a8ef611af8b115
SHA16bf4655bb38e4902a4b401fcd8db88cffcfffbcb
SHA2565e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc
SHA512addbafb7c0b816c823472f9234ac1761ad17fdf7c04552b7e609db5925092babfc9e35e41ff88becbf7115dda748bc9594b17b28011b7549a9336c521af474de