Overview

overview

10

Static

static

10

fe01dcffe6...dc.exe

windows7-x64

10

fe01dcffe6...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe01dcffe6a6f98e13bd27cbfeec50ba0466774deb21b518dce5e91ed3b80ddc.exe

  • Size

    1.0MB

  • MD5

    88a66b7e4142e224d442891a03f907ac

  • SHA1

    016d11c1d8fc7d6346cb47ea0b0688878938aebf

  • SHA256

    fe01dcffe6a6f98e13bd27cbfeec50ba0466774deb21b518dce5e91ed3b80ddc

  • SHA512

    597031b5c581416ab57229972e1c0889113daabaf1ed6c28aac4ac73e10d77799a9b5a343606ffa779839e5d16c2fbe38a62be003439a22b2be3d7e6c62cd179

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ9skbv:E5aIwC+Agr6SNbt

Score
10/10
kpottrickbotbankerstealertrojan

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe01dcffe6a6f98e13bd27cbfeec50ba0466774deb21b518dce5e91ed3b80ddc.exe
    "C:\Users\Admin\AppData\Local\Temp\fe01dcffe6a6f98e13bd27cbfeec50ba0466774deb21b518dce5e91ed3b80ddc.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2036
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=808 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2496
      • C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:4416
        • C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
          C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            2⤵
              PID:3140

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\WinSocket\fe01dcffe7a7f99e13bd28cbfeec60ba0477884deb21b619dce6e91ed3b90ddc.exe
            Filesize

            1.0MB

            MD5

            88a66b7e4142e224d442891a03f907ac

            SHA1

            016d11c1d8fc7d6346cb47ea0b0688878938aebf

            SHA256

            fe01dcffe6a6f98e13bd27cbfeec50ba0466774deb21b518dce5e91ed3b80ddc

            SHA512

            597031b5c581416ab57229972e1c0889113daabaf1ed6c28aac4ac73e10d77799a9b5a343606ffa779839e5d16c2fbe38a62be003439a22b2be3d7e6c62cd179

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
            Filesize

            31KB

            MD5

            a56c1aa6e73efa9710409b26a0876927

            SHA1

            16e604dd6043fb401e35c8121d5b30985e60446f

            SHA256

            0b8ed360abc8ca848167bc93e55c64dd1be4f60ae368b5d040af3b9979452d16

            SHA512

            496819b6b47b3fc0ab9658406aca8a53c7035e5c86730b09a8fd4ee34228f0822d349236a5146eca4340839b74fff38da80dbf305f7bfd8669211d0f827e3ea5

            Download Submit

          • memory/2036-47-0x0000000010000000-0x000000001001E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2036-46-0x0000000010000000-0x000000001001E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2036-51-0x000002454F3F0000-0x000002454F3F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-36-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-26-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-41-0x0000000010000000-0x0000000010007000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2044-40-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2044-35-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-30-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-37-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-52-0x0000000003060000-0x000000000311E000-memory.dmp

            Filesize

            760KB

            Download

          • memory/2044-27-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-28-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-53-0x0000000003160000-0x0000000003429000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/2044-31-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-34-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-33-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2044-32-0x00000000007A0000-0x00000000007A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-5-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-7-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-16-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2132-15-0x0000000000421000-0x0000000000422000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-3-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-8-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-6-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-4-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-10-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-11-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-13-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-14-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-12-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-9-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-2-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-17-0x0000000002C30000-0x0000000002C59000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3672-58-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-64-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-65-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-66-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-63-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-62-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-67-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-68-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-61-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-69-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-60-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-72-0x0000000000421000-0x0000000000422000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3672-73-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/3672-59-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download