Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 18:50
Behavioral task
behavioral1
Sample
121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe
Resource
win7-20240221-en
General
-
Target
121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe
-
Size
1.3MB
-
MD5
fb79f9fb02992d0e53b0aeb701e0d439
-
SHA1
d89df905142cd634123d55d6e7537cfc36e49981
-
SHA256
121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba
-
SHA512
819032457fc18a892c45ca524c3ba7f43ef48915b8afdd758614009f289fb525d7b86d0336cf8136e2fa4410d142110cfaa77f7f6552689ac79c3f0c581df32d
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSw:E5aIwC+Agr6g81p1vsrNiw
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4328-15-0x0000000002C00000-0x0000000002C29000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exepid process 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exedescription pid process Token: SeTcbPrivilege 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe Token: SeTcbPrivilege 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exepid process 4328 121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exedescription pid process target process PID 4328 wrote to memory of 4688 4328 121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe PID 4328 wrote to memory of 4688 4328 121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe PID 4328 wrote to memory of 4688 4328 121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 4688 wrote to memory of 2160 4688 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 1096 wrote to memory of 4504 1096 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe PID 3808 wrote to memory of 3244 3808 121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe"C:\Users\Admin\AppData\Local\Temp\121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exeC:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2160
-
C:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exeC:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4504
-
C:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exeC:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\121f01737a3ea9d02d42f318f418af9d1ec663906f99d899b9ade93697d794ba.exe
Filesize1.3MB
MD5fb79f9fb02992d0e53b0aeb701e0d439
SHA1d89df905142cd634123d55d6e7537cfc36e49981
SHA256121f01636a3ea9d02d42f317f417af9d1ec553805f88d788b9ade83586d694ba
SHA512819032457fc18a892c45ca524c3ba7f43ef48915b8afdd758614009f289fb525d7b86d0336cf8136e2fa4410d142110cfaa77f7f6552689ac79c3f0c581df32d
-
Filesize
20KB
MD594a5f21d0224767f9c10faecc08723c0
SHA15dc2dc2455ee4e57883d73a2882d9f98239f1687
SHA2560dd1bef0046cdebc6ebebe6bbedb6489f938c192a33fe5322a564882661f637b
SHA512823d9e636d4fc317f416ab1c92db75844f58c80056c928d778580493506f55f10fc366e6b3059babd761ca58c9601bf34adbddbda154abce26ffcd017feea534