Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 20:00
Behavioral task
behavioral1
Sample
2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe
Resource
win7-20240221-en
General
-
Target
2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe
-
Size
1.3MB
-
MD5
1fa1948224d5382fffff9be9a89720a6
-
SHA1
0c18525d670ec131b7f6ec440aeccaeb83c1362f
-
SHA256
2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d
-
SHA512
177d500c0a425b9bed657378e6f26638839ec864b8fc8c3e1aa1745f4d938f0ec65bf89cdd883b9c3b33111046fac51f613bda9cbb658c3da894ebd1d5eb4686
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZQZer4y:E5aIwC+Agr6StYCmy
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023405-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/4656-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
pid Process 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTcbPrivilege 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe Token: SeTcbPrivilege 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4656 2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3012 4656 2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe 81 PID 4656 wrote to memory of 3012 4656 2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe 81 PID 4656 wrote to memory of 3012 4656 2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe 81 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 3012 wrote to memory of 3644 3012 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 82 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 1280 wrote to memory of 2436 1280 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 93 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 PID 4544 wrote to memory of 3988 4544 2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe"C:\Users\Admin\AppData\Local\Temp\2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exeC:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3644
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exeC:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2436
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exeC:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
Filesize1.3MB
MD51fa1948224d5382fffff9be9a89720a6
SHA10c18525d670ec131b7f6ec440aeccaeb83c1362f
SHA2562c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d
SHA512177d500c0a425b9bed657378e6f26638839ec864b8fc8c3e1aa1745f4d938f0ec65bf89cdd883b9c3b33111046fac51f613bda9cbb658c3da894ebd1d5eb4686
-
Filesize
41KB
MD55abef8b7feb63cdbcf0ff8811dc0f176
SHA175675abaaff235874ea39febaad588f063a82158
SHA256ee5babf9a19aae80f152ae3f2b154823331e795bf4cc83bc1d444b2079e67f97
SHA5124845406936fdf1fb41219ceef76b7d9ec6375294355e03db435fc385515417bd8990dfd924871003cd6303eda3ea21da6054bd8127aa89361304fd4931706c6d