Analysis
-
max time kernel
135s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 06:19
Behavioral task
behavioral1
Sample
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe
Resource
win7-20231129-en
General
-
Target
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe
-
Size
1.3MB
-
MD5
75ed2db3311875af8e577edbcfd75ecd
-
SHA1
2a35e68ae943b5ca1ef38717423c537158184a4d
-
SHA256
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e
-
SHA512
0e80cf8f6357815401f50cc1862c1372bf7302822aef3aa0ec7c579d52b5c696870e0bcdae0126fb2f99cb798126cc136abf7e9c60b460cfacc096328f5fdac1
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSs:E5aIwC+Agr6g81p1vsrNis
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2960-15-0x0000000000540000-0x0000000000569000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exepid process 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe 2340 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe -
Loads dropped DLL 2 IoCs
Processes:
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exepid process 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2636 sc.exe 2440 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exepowershell.exepid process 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exedescription pid process Token: SeDebugPrivilege 2588 powershell.exe Token: SeTcbPrivilege 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe Token: SeTcbPrivilege 2340 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exepid process 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe 2340 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.execmd.execmd.execmd.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exetaskeng.exefd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exedescription pid process target process PID 2960 wrote to memory of 2856 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2856 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2856 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2856 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2908 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2908 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2908 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2908 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2840 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2840 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2840 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2840 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe cmd.exe PID 2960 wrote to memory of 2632 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2960 wrote to memory of 2632 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2960 wrote to memory of 2632 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2960 wrote to memory of 2632 2960 fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2908 wrote to memory of 2636 2908 cmd.exe sc.exe PID 2908 wrote to memory of 2636 2908 cmd.exe sc.exe PID 2908 wrote to memory of 2636 2908 cmd.exe sc.exe PID 2908 wrote to memory of 2636 2908 cmd.exe sc.exe PID 2840 wrote to memory of 2588 2840 cmd.exe powershell.exe PID 2840 wrote to memory of 2588 2840 cmd.exe powershell.exe PID 2840 wrote to memory of 2588 2840 cmd.exe powershell.exe PID 2840 wrote to memory of 2588 2840 cmd.exe powershell.exe PID 2856 wrote to memory of 2440 2856 cmd.exe sc.exe PID 2856 wrote to memory of 2440 2856 cmd.exe sc.exe PID 2856 wrote to memory of 2440 2856 cmd.exe sc.exe PID 2856 wrote to memory of 2440 2856 cmd.exe sc.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2632 wrote to memory of 2476 2632 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 2732 wrote to memory of 1688 2732 taskeng.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2732 wrote to memory of 1688 2732 taskeng.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2732 wrote to memory of 1688 2732 taskeng.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 2732 wrote to memory of 1688 2732 taskeng.exe fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe PID 1688 wrote to memory of 1872 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 1688 wrote to memory of 1872 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 1688 wrote to memory of 1872 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe PID 1688 wrote to memory of 1872 1688 fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe"C:\Users\Admin\AppData\Local\Temp\fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2440 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2636 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exeC:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2476
-
C:\Windows\system32\taskeng.exetaskeng.exe {659571C1-4900-4EC1-AFAB-EA039E66A74E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exeC:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1872
-
C:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exeC:\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\WinSocket\fd6d1e3f617d1964bd933d499de4024bce7198347a01b8463000764bf42cdb9e.exe
Filesize1.3MB
MD575ed2db3311875af8e577edbcfd75ecd
SHA12a35e68ae943b5ca1ef38717423c537158184a4d
SHA256fd5d1e3f516d1954bd833d489de4024bce6197346a01b7453000654bf42cdb9e
SHA5120e80cf8f6357815401f50cc1862c1372bf7302822aef3aa0ec7c579d52b5c696870e0bcdae0126fb2f99cb798126cc136abf7e9c60b460cfacc096328f5fdac1