Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 22:42
Behavioral task
behavioral1
Sample
75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe
Resource
win7-20240215-en
General
-
Target
75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe
-
Size
1.2MB
-
MD5
48f6dbb8b5290fb594f8e026fe33e44a
-
SHA1
b6fe101495fe998f49993069bd9a4d413d01f8cd
-
SHA256
75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8
-
SHA512
94fde7134040901439266f32baa05c1c80bc4bef0d8e0364ff620b838b52768574071fa20db5b51c5adfd82fb2b4feaf7d7968b1f2136f409846b6c5d38967eb
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSA:E5aIwC+Agr6g81p1vsrNiA
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2796-15-0x0000000002BB0000-0x0000000002BD9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exepid process 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exedescription pid process Token: SeTcbPrivilege 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe Token: SeTcbPrivilege 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exepid process 2796 75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exedescription pid process target process PID 2796 wrote to memory of 3160 2796 75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe PID 2796 wrote to memory of 3160 2796 75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe PID 2796 wrote to memory of 3160 2796 75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3160 wrote to memory of 5112 3160 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 4368 wrote to memory of 4124 4368 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe PID 3468 wrote to memory of 1432 3468 86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe"C:\Users\Admin\AppData\Local\Temp\75eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exeC:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:5112
-
C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exeC:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4124
-
C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exeC:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\86eff89717e93882a37c9937f3ff39339646719bc4c93dd2744819491c09cdc9.exe
Filesize1.2MB
MD548f6dbb8b5290fb594f8e026fe33e44a
SHA1b6fe101495fe998f49993069bd9a4d413d01f8cd
SHA25675eff78616e93772a36c8936f3ff38339545618bc4c93dd2644718481c09cdc8
SHA51294fde7134040901439266f32baa05c1c80bc4bef0d8e0364ff620b838b52768574071fa20db5b51c5adfd82fb2b4feaf7d7968b1f2136f409846b6c5d38967eb
-
Filesize
37KB
MD5e5cc6f9a461f44a9c37e43833033f152
SHA1ef2a9c9c3e0129edf2f6247c3769c2da21ef934a
SHA256a52f666bd34e5301623700962a1be7d2f13f14b71ba766223e8f571849ec54fb
SHA512cbbf1fdec2cadf57a694d3910e182973da9e0c8c1a58a7f4fe9eedc82da9457734bee5417b5e24208c9407eeba5633316645518cf665445b9e80ef6043b65f0e