Analysis
-
max time kernel
138s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 18:57
Behavioral task
behavioral1
Sample
12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe
Resource
win7-20240221-en
General
-
Target
12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe
-
Size
1.3MB
-
MD5
bdc8d9c8c9df046f73b02d05877195ad
-
SHA1
ed4ea4a34545c8de7a73c67c5b7373bdfd1c3b37
-
SHA256
12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df
-
SHA512
50920f1f0b07c6e9f448fe024c30a6b1ed96036c60ce82e44778d449073468393d8bfcfff0c1edf430453379468b03e6188165439dcf0c1720cf79191a7dcc9a
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOFZ+jJ/1q0GrbcUxnMj/:E5aIwC+Agr6StVEnmcKWnq0vlj/
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1004-15-0x0000000003010000-0x0000000003039000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exepid process 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exedescription pid process Token: SeTcbPrivilege 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe Token: SeTcbPrivilege 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exepid process 1004 12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exedescription pid process target process PID 1004 wrote to memory of 4476 1004 12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe PID 1004 wrote to memory of 4476 1004 12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe PID 1004 wrote to memory of 4476 1004 12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 4476 wrote to memory of 4536 4476 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 5040 wrote to memory of 3652 5040 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe PID 2780 wrote to memory of 2452 2780 12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe"C:\Users\Admin\AppData\Local\Temp\12e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exeC:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4536
-
C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exeC:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3652
-
C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exeC:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\12e9413bc03fec8cbfe1eba43f1629b0690047030b63f9b3309c22fc929c19df.exe
Filesize1.3MB
MD5bdc8d9c8c9df046f73b02d05877195ad
SHA1ed4ea4a34545c8de7a73c67c5b7373bdfd1c3b37
SHA25612e8413bc03fec7cbfe1eba43f1528b0580046030b53f8b3309c22fc929c18df
SHA51250920f1f0b07c6e9f448fe024c30a6b1ed96036c60ce82e44778d449073468393d8bfcfff0c1edf430453379468b03e6188165439dcf0c1720cf79191a7dcc9a
-
Filesize
17KB
MD59588d5754ee341a16277db7a50cfd3ef
SHA10488684d619ee31d7f542448e7cef57670b991d9
SHA25670550e359dd890ffdbf34e8b5e180e23985b6b96d0aa24b0d3d4d61eea94a984
SHA512b5b41e4b94268790e25a2022f2decb5625ded26106042e08c38be213147554f22c13e09054faa6a171a9ebff78cfc5ae0dfe0484998034a447439663a1eb0618