Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 01:47
Behavioral task
behavioral1
Sample
ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe
Resource
win7-20240221-en
General
-
Target
ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe
-
Size
1.1MB
-
MD5
6dcfdb42e0fbf5da4e587099da9dd78d
-
SHA1
f3eed14396f5e5070b5056d50d17028ce1031334
-
SHA256
ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d
-
SHA512
6070920c6a0449fdaf1891f0047fd823ecac66b5cb013ea75b80b9897055b6570490816b4af0b2cbc41c623a7d958d4ffa626ca8333ccaaad29d2d5ff428ccfe
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZcnDP43T:E5aIwC+Agr6S/FFC+L43T
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1948-15-0x0000000002230000-0x0000000002259000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exepid process 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exedescription pid process Token: SeTcbPrivilege 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe Token: SeTcbPrivilege 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exepid process 1948 ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exedescription pid process target process PID 1948 wrote to memory of 4428 1948 ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe PID 1948 wrote to memory of 4428 1948 ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe PID 1948 wrote to memory of 4428 1948 ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4428 wrote to memory of 3724 4428 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 1980 wrote to memory of 5016 1980 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe PID 4860 wrote to memory of 2408 4860 ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe"C:\Users\Admin\AppData\Local\Temp\ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeC:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3724
-
C:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeC:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:5016
-
C:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exeC:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\ae2394d04fe3644f77ccd91bfa07199033318dcd9086f81b8491bc91ee204c9d.exe
Filesize1.1MB
MD56dcfdb42e0fbf5da4e587099da9dd78d
SHA1f3eed14396f5e5070b5056d50d17028ce1031334
SHA256ae2394d04fe3544f66ccd81bfa06189033317dcd8075f71b7481bc91ee204c9d
SHA5126070920c6a0449fdaf1891f0047fd823ecac66b5cb013ea75b80b9897055b6570490816b4af0b2cbc41c623a7d958d4ffa626ca8333ccaaad29d2d5ff428ccfe
-
Filesize
26KB
MD571c5d87c1cab9e63ca9e2afde0116b39
SHA1aaceb197aff55bad98d058c9079c6be73b727cea
SHA2560a430ebd92fc6d8488d38b1b917f7290b6440ae5548e530c1130a69956cb4b89
SHA512f6d4817c287132c53d3247398c586378f8b7390f4cc3fafd90822f081ddc2870f52b9bb4fe20aa16cef7933207e6f91fd8521ff66788fd406e9739f8cd2ac10c