Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
12-05-2024 19:29
General
-
Target
19a0210c2ffe67ff8156dd3b2d7009dcc7df10c9fb5087a1fca89cbd883e9537.exe
-
Size
1.4MB
-
MD5
53eb29f92fe9a89832da0be4b3dc52ed
-
SHA1
3170c4c2f8658fea9ffdfd0b449f1a833464a6e1
-
SHA256
19a0210c2ffe67ff8156dd3b2d7009dcc7df10c9fb5087a1fca89cbd883e9537
-
SHA512
39236803ca6245d4416d0cf51e269b0d12d4286bd1df3f0ce696ff78e07f6b583092201584b201abdec01d9b7f749c0b846fd825a39c7449385c91c8a3c18c5a
-
SSDEEP
24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/ojE2:E5aIwC+Agr6tdlmU1/eoo2
Malware Config
Signatures
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a0210c2ffe67ff8156dd3b2d7009dcc7df10c9fb5087a1fca89cbd883e9537.exe"C:\Users\Admin\AppData\Local\Temp\19a0210c2ffe67ff8156dd3b2d7009dcc7df10c9fb5087a1fca89cbd883e9537.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exeC:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CFC653DA-CB89-449E-8ADB-161114D29572} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exeC:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exeC:\Users\Admin\AppData\Roaming\WinSocket\19a0210c2ffe78ff9167dd3b2d8009dcc8df10c9fb6098a1fca99cbd993e9638.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD553eb29f92fe9a89832da0be4b3dc52ed
SHA13170c4c2f8658fea9ffdfd0b449f1a833464a6e1
SHA25619a0210c2ffe67ff8156dd3b2d7009dcc7df10c9fb5087a1fca89cbd883e9537
SHA51239236803ca6245d4416d0cf51e269b0d12d4286bd1df3f0ce696ff78e07f6b583092201584b201abdec01d9b7f749c0b846fd825a39c7449385c91c8a3c18c5a
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB