Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 03:41
Behavioral task
behavioral1
Sample
bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe
Resource
win7-20240221-en
General
-
Target
bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe
-
Size
1.3MB
-
MD5
c480908dbb73f40acfe629f08a7bdeb5
-
SHA1
234f593a4c607d5f202a9e6eed8dd46061c880a2
-
SHA256
bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
-
SHA512
d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOS2e:E5aIwC+Agr6g81p1vsrNiL
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1976-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exepid process 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exedescription pid process Token: SeTcbPrivilege 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe Token: SeTcbPrivilege 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exepid process 1976 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exebb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exedescription pid process target process PID 1976 wrote to memory of 1736 1976 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe PID 1976 wrote to memory of 1736 1976 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe PID 1976 wrote to memory of 1736 1976 bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 1736 wrote to memory of 4600 1736 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 4368 wrote to memory of 3568 4368 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe PID 2884 wrote to memory of 4308 2884 bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exeC:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4600
-
C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exeC:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3568
-
C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exeC:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
Filesize1.3MB
MD5c480908dbb73f40acfe629f08a7bdeb5
SHA1234f593a4c607d5f202a9e6eed8dd46061c880a2
SHA256bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3
SHA512d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd
-
Filesize
25KB
MD51eee9adaab6c27e7e61db969613a03c0
SHA1db5227767dec5584fc075fe58daa4e23b64707b9
SHA25653e226fea542441bf2cefb3f7a93b710fc8ff858cb2315c48d838ecda3c54b57
SHA512adfc8c604334c9190146e4e360e3e845b27c0a23960c886d7979353104d6edd1992e8ad8e8b7ef4f9499d2f4ebda54869ed2470ad8d110f14dbc358dd8c3459e