Analysis
-
max time kernel
135s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 00:52
Behavioral task
behavioral1
Sample
94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe
Resource
win7-20240221-en
General
-
Target
94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe
-
Size
1.2MB
-
MD5
0c9e80007f495561fbd69448cf681e52
-
SHA1
15aff8bdb73701d9c8ef9caf3eeca7124fa31b93
-
SHA256
94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd
-
SHA512
87497d804ede217a3a6d7969d36d2183c6b6a546c45e5d3c231e0963d58075c58b34b36459366952a347c84d98ee291e4eebadf48fdd0be01908c92b428d1da8
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIN:E5aIwC+Agr6S/FEVI
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3068-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exepid process 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exedescription pid process Token: SeTcbPrivilege 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe Token: SeTcbPrivilege 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exepid process 3068 94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exedescription pid process target process PID 3068 wrote to memory of 3580 3068 94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe PID 3068 wrote to memory of 3580 3068 94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe PID 3068 wrote to memory of 3580 3068 94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 3580 wrote to memory of 1600 3580 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 1740 wrote to memory of 1516 1740 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe PID 2244 wrote to memory of 2240 2244 94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe"C:\Users\Admin\AppData\Local\Temp\94f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exeC:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1600
-
C:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exeC:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1516
-
C:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exeC:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\94f8e982d8e27c3aea140cbae043a1eb8e799d97987a9017a8b9101117f27efd.exe
Filesize1.2MB
MD50c9e80007f495561fbd69448cf681e52
SHA115aff8bdb73701d9c8ef9caf3eeca7124fa31b93
SHA25694f7e972d7e26c3aea140cbae043a1eb7e689d96976a8016a7b9101116f26efd
SHA51287497d804ede217a3a6d7969d36d2183c6b6a546c45e5d3c231e0963d58075c58b34b36459366952a347c84d98ee291e4eebadf48fdd0be01908c92b428d1da8
-
Filesize
24KB
MD5ef2c6af9176fb0def098b359211f6d21
SHA1ca7ecaed4f2d40c3bd2d0f61f1a993b53cdfcf1f
SHA256de609237146ec86288ddb6bd4d07451f3206f8079f0b4cb62341fc624a54dfda
SHA51283e3cafd59031be5c29ef7a09e41ec4a82f8f33c1bfc11ec1c27b28e049c222ae389385fe790f472f303c2bd56869363ee443acf35990a7aabf693b0f4647038