Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 22:42

General

  • Target

    75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe

  • Size

    1.2MB

  • MD5

    48f6dbb8b5290fb594f8e026fe33e44a

  • SHA1

    b6fe101495fe998f49993069bd9a4d413d01f8cd

  • SHA256

    75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8

  • SHA512

    94fde7134040901439266f32baa05c1c80bc4bef0d8e0364ff620b838b52768574071fa20db5b51c5adfd82fb2b4feaf7d7968b1f2136f409846b6c5d38967eb

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSA:E5aIwC+Agr6g81p1vsrNiA

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe
    "C:\Users\Admin\AppData\Local\Temp\75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:5112
    • C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:4124
      • C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:1432

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe

          Filesize

          1.2MB

          MD5

          48f6dbb8b5290fb594f8e026fe33e44a

          SHA1

          b6fe101495fe998f49993069bd9a4d413d01f8cd

          SHA256

          75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8

          SHA512

          94fde7134040901439266f32baa05c1c80bc4bef0d8e0364ff620b838b52768574071fa20db5b51c5adfd82fb2b4feaf7d7968b1f2136f409846b6c5d38967eb

        • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

          Filesize

          37KB

          MD5

          e5cc6f9a461f44a9c37e43833033f152

          SHA1

          ef2a9c9c3e0129edf2f6247c3769c2da21ef934a

          SHA256

          a52f666bd34e5301623700962a1be7d2f13f14b71ba766223e8f571849ec54fb

          SHA512

          cbbf1fdec2cadf57a694d3910e182973da9e0c8c1a58a7f4fe9eedc82da9457734bee5417b5e24208c9407eeba5633316645518cf665445b9e80ef6043b65f0e

        • memory/2796-7-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-5-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-4-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-11-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-18-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/2796-17-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/2796-12-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-10-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-9-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-8-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-6-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-15-0x0000000002BB0000-0x0000000002BD9000-memory.dmp

          Filesize

          164KB

        • memory/2796-14-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-13-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-3-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/2796-2-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/3160-41-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/3160-36-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-40-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/3160-35-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-34-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-33-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-37-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-32-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-31-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-30-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-29-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-28-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-27-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-26-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/3160-52-0x0000000003060000-0x000000000311E000-memory.dmp

          Filesize

          760KB

        • memory/3160-53-0x0000000003160000-0x0000000003429000-memory.dmp

          Filesize

          2.8MB

        • memory/4368-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

          Filesize

          4KB

        • memory/4368-72-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/4368-73-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/5112-47-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/5112-46-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/5112-51-0x00000141C2D10000-0x00000141C2D11000-memory.dmp

          Filesize

          4KB