Analysis
-
max time kernel
135s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 19:24
Behavioral task
behavioral1
Sample
1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe
Resource
win7-20240215-en
General
-
Target
1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe
-
Size
1.2MB
-
MD5
c5e9b73d076dff4ffcf1843498645067
-
SHA1
1572aa5015ebaa7723c21019d07df4f3a3d6b15a
-
SHA256
1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661
-
SHA512
1bf7ee4e0d970612324a772e4f948682dba38884ceba1bb211ee15f77946107af83ba38e8a59defd8d7c50bd0fd28b8b5ae5b214551863fa491964fd8a17045f
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOxA5zYlo1c51Wn1:E5aIwC+Agr6StVEnmcKxY/O1W
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2156-15-0x00000000006C0000-0x00000000006E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exepid process 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exedescription pid process Token: SeTcbPrivilege 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe Token: SeTcbPrivilege 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exepid process 2156 1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exedescription pid process target process PID 2156 wrote to memory of 1244 2156 1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe PID 2156 wrote to memory of 1244 2156 1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe PID 2156 wrote to memory of 1244 2156 1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1244 wrote to memory of 5020 1244 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 1728 wrote to memory of 1540 1728 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe PID 2848 wrote to memory of 4864 2848 1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe"C:\Users\Admin\AppData\Local\Temp\1caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exeC:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:5020
-
C:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exeC:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1540
-
C:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exeC:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\1caf10c69836cac2cbe26db4a4a77481fd96d4398a9cd44ce29947a9e9c2e771.exe
Filesize1.2MB
MD5c5e9b73d076dff4ffcf1843498645067
SHA11572aa5015ebaa7723c21019d07df4f3a3d6b15a
SHA2561caf10c58735cac2cbe25db4a4a66471fd85d4397a9cd44ce29946a9e8c2e661
SHA5121bf7ee4e0d970612324a772e4f948682dba38884ceba1bb211ee15f77946107af83ba38e8a59defd8d7c50bd0fd28b8b5ae5b214551863fa491964fd8a17045f
-
Filesize
75KB
MD53db5812141879f16134a42f652f79baa
SHA13b6ff336e6d37e446551d31a994e9af321b6f771
SHA25604dc224361d2c9bcd69814758432f517673782aa2976932523f77000cfc756d5
SHA51290441dbe46a5ee1e635c7d3641946116b6b509dd7596182c3deb074c80b8d289348547b9722dde6a0763af1b6d76f02723b18179c92c2b9ce1984f8e7befbd0f