Analysis

  • max time kernel
    138s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 18:57

General

  • Target

    12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe

  • Size

    1.3MB

  • MD5

    bdc8d9c8c9df046f73b02d05877195ad

  • SHA1

    ed4ea4a34545c8de7a73c67c5b7373bdfd1c3b37

  • SHA256

    12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df

  • SHA512

    50920f1f0b07c6e9f448fe024c30a6b1ed96036c60ce82e44778d449073468393d8bfcfff0c1edf430453379468b03e6188165439dcf0c1720cf79191a7dcc9a

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOFZ+jJ/1q0GrbcUxnMj/:E5aIwC+Agr6StVEnmcKWnq0vlj/

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe
    "C:\Users\Admin\AppData\Local\Temp\12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4536
    • C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3652
      • C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:2452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe

          Filesize

          1.3MB

          MD5

          bdc8d9c8c9df046f73b02d05877195ad

          SHA1

          ed4ea4a34545c8de7a73c67c5b7373bdfd1c3b37

          SHA256

          12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df

          SHA512

          50920f1f0b07c6e9f448fe024c30a6b1ed96036c60ce82e44778d449073468393d8bfcfff0c1edf430453379468b03e6188165439dcf0c1720cf79191a7dcc9a

        • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

          Filesize

          17KB

          MD5

          9588d5754ee341a16277db7a50cfd3ef

          SHA1

          0488684d619ee31d7f542448e7cef57670b991d9

          SHA256

          70550e359dd890ffdbf34e8b5e180e23985b6b96d0aa24b0d3d4d61eea94a984

          SHA512

          b5b41e4b94268790e25a2022f2decb5625ded26106042e08c38be213147554f22c13e09054faa6a171a9ebff78cfc5ae0dfe0484998034a447439663a1eb0618

        • memory/1004-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-15-0x0000000003010000-0x0000000003039000-memory.dmp

          Filesize

          164KB

        • memory/1004-18-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/1004-17-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/1004-13-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-12-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-11-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-10-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-9-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-8-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-5-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1004-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/4476-29-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-37-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-36-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-35-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-34-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-33-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-32-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-31-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-30-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-28-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-27-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-26-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

        • memory/4476-40-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/4476-41-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/4476-52-0x0000000003060000-0x000000000311E000-memory.dmp

          Filesize

          760KB

        • memory/4476-53-0x0000000003160000-0x0000000003429000-memory.dmp

          Filesize

          2.8MB

        • memory/4536-47-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/4536-51-0x0000023612AF0000-0x0000023612AF1000-memory.dmp

          Filesize

          4KB

        • memory/4536-46-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/5040-60-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-62-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-68-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-73-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/5040-72-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/5040-58-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-69-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-67-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-66-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-65-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-64-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-63-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-61-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/5040-59-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB