Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 03:41

General

  • Target

    bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe

  • Size

    1.3MB

  • MD5

    c480908dbb73f40acfe629f08a7bdeb5

  • SHA1

    234f593a4c607d5f202a9e6eed8dd46061c880a2

  • SHA256

    bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3

  • SHA512

    d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOS2e:E5aIwC+Agr6g81p1vsrNiL

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe
    "C:\Users\Admin\AppData\Local\Temp\bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4600
    • C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3568
      • C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:4308

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\WinSocket\bb3dd89697486cc8c82f9039e221ef4fb2ab0704f7b91a4dfe7d0291f4b76ba3.exe

          Filesize

          1.3MB

          MD5

          c480908dbb73f40acfe629f08a7bdeb5

          SHA1

          234f593a4c607d5f202a9e6eed8dd46061c880a2

          SHA256

          bb3dd78596475cc7c72f8039e221ef4fb2ab0604f6b81a4dfe6d0281f4b65ba3

          SHA512

          d6c9c8ea13df5f60f921521f6c3896848750a6fc915850eb848b242c8ee62ceccbac0addc2828ebf36f22d684562a8f710a739d66586c27d295d6a5e304095dd

        • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

          Filesize

          25KB

          MD5

          1eee9adaab6c27e7e61db969613a03c0

          SHA1

          db5227767dec5584fc075fe58daa4e23b64707b9

          SHA256

          53e226fea542441bf2cefb3f7a93b710fc8ff858cb2315c48d838ecda3c54b57

          SHA512

          adfc8c604334c9190146e4e360e3e845b27c0a23960c886d7979353104d6edd1992e8ad8e8b7ef4f9499d2f4ebda54869ed2470ad8d110f14dbc358dd8c3459e

        • memory/1736-28-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-29-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-41-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/1736-40-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/1736-26-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-27-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-36-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-52-0x0000000003060000-0x000000000311E000-memory.dmp

          Filesize

          760KB

        • memory/1736-30-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-31-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-32-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-33-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-34-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-35-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1736-53-0x0000000003160000-0x0000000003429000-memory.dmp

          Filesize

          2.8MB

        • memory/1736-37-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

        • memory/1976-18-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/1976-3-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-8-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-17-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/1976-5-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-10-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp

          Filesize

          164KB

        • memory/1976-11-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-12-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-13-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-14-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-9-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-6-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-4-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-7-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/1976-2-0x0000000002250000-0x0000000002251000-memory.dmp

          Filesize

          4KB

        • memory/4368-63-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-67-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-72-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/4368-68-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-62-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-66-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-65-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-61-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-69-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-73-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/4368-64-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-60-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-59-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4368-58-0x0000000001680000-0x0000000001681000-memory.dmp

          Filesize

          4KB

        • memory/4600-51-0x0000018085270000-0x0000018085271000-memory.dmp

          Filesize

          4KB

        • memory/4600-46-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/4600-48-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB