Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 22:25
Behavioral task
behavioral1
Sample
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe
Resource
win7-20240419-en
General
-
Target
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe
-
Size
1.0MB
-
MD5
89aebd087e215625a9a8ef611af8b115
-
SHA1
6bf4655bb38e4902a4b401fcd8db88cffcfffbcb
-
SHA256
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc
-
SHA512
addbafb7c0b816c823472f9234ac1761ad17fdf7c04552b7e609db5925092babfc9e35e41ff88becbf7115dda748bc9594b17b28011b7549a9336c521af474de
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ9skQ6:E5aIwC+Agr6SNbf
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3152-17-0x0000000002B00000-0x0000000002B29000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exepid process 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 4496 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exedescription pid process Token: SeTcbPrivilege 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exepid process 3152 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exedescription pid process target process PID 3152 wrote to memory of 4044 3152 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3152 wrote to memory of 4044 3152 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 3152 wrote to memory of 4044 3152 5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 4044 wrote to memory of 1120 4044 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe PID 2896 wrote to memory of 2268 2896 6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe"C:\Users\Admin\AppData\Local\Temp\5e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2008
-
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe1⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
PID:4328
-
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exeC:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\6e0469fdef399f9bfc20bb42842d33db30a78e2da4190611f4dc28c79f9fbedc.exe
Filesize1.0MB
MD589aebd087e215625a9a8ef611af8b115
SHA16bf4655bb38e4902a4b401fcd8db88cffcfffbcb
SHA2565e0458fdef398f8bfc20bb42742d33db30a67e2da4180511f4dc27c69f8fbedc
SHA512addbafb7c0b816c823472f9234ac1761ad17fdf7c04552b7e609db5925092babfc9e35e41ff88becbf7115dda748bc9594b17b28011b7549a9336c521af474de
-
Filesize
44KB
MD58441a3403880a926e9462a8b9c6034b2
SHA12bb638e462e6c179dd0be9f85837c1b3182292ee
SHA256f6f29568ba410ecbc670036d0190157c413e4b9ee3b273de403c5405ee055152
SHA5126b7028cd0d342fbbc2622869919674bbe772e9fc0132588ed8054db44b0790454e13606ad9d27d2cb76830f473e92b7d2cfd34c56b8353c81f49718b1670e03e