Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 20:00

General

  • Target

    2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe

  • Size

    1.3MB

  • MD5

    1fa1948224d5382fffff9be9a89720a6

  • SHA1

    0c18525d670ec131b7f6ec440aeccaeb83c1362f

  • SHA256

    2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d

  • SHA512

    177d500c0a425b9bed657378e6f26638839ec864b8fc8c3e1aa1745f4d938f0ec65bf89cdd883b9c3b33111046fac51f613bda9cbb658c3da894ebd1d5eb4686

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZQZer4y:E5aIwC+Agr6StYCmy

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe
    "C:\Users\Admin\AppData\Local\Temp\2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3644
    • C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:2436
      • C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
        C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:3988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\WinSocket\2c8f67ca784afb300a6df8640249d09a2c7dfc91896f26df7991d41fd809690d.exe

          Filesize

          1.3MB

          MD5

          1fa1948224d5382fffff9be9a89720a6

          SHA1

          0c18525d670ec131b7f6ec440aeccaeb83c1362f

          SHA256

          2c7f56ca674afb300a5df7540248d08a2c6dfc81785f25df6981d41fd708590d

          SHA512

          177d500c0a425b9bed657378e6f26638839ec864b8fc8c3e1aa1745f4d938f0ec65bf89cdd883b9c3b33111046fac51f613bda9cbb658c3da894ebd1d5eb4686

        • C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

          Filesize

          41KB

          MD5

          5abef8b7feb63cdbcf0ff8811dc0f176

          SHA1

          75675abaaff235874ea39febaad588f063a82158

          SHA256

          ee5babf9a19aae80f152ae3f2b154823331e795bf4cc83bc1d444b2079e67f97

          SHA512

          4845406936fdf1fb41219ceef76b7d9ec6375294355e03db435fc385515417bd8990dfd924871003cd6303eda3ea21da6054bd8127aa89361304fd4931706c6d

        • memory/1280-63-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-58-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-59-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-60-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-61-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-62-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-69-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-64-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-73-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/1280-65-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-66-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-67-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-68-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

        • memory/1280-72-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/3012-35-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-31-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-30-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-29-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-28-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-27-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-26-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-40-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

        • memory/3012-52-0x0000000003060000-0x000000000311E000-memory.dmp

          Filesize

          760KB

        • memory/3012-32-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-53-0x0000000003160000-0x0000000003429000-memory.dmp

          Filesize

          2.8MB

        • memory/3012-33-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-34-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-36-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3012-42-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/3012-41-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/3012-37-0x00000000021E0000-0x00000000021E1000-memory.dmp

          Filesize

          4KB

        • memory/3644-46-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/3644-47-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/3644-51-0x000001ACBB670000-0x000001ACBB671000-memory.dmp

          Filesize

          4KB

        • memory/4656-13-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-2-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-3-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

          Filesize

          164KB

        • memory/4656-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-6-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-7-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-8-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-9-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-10-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-11-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-12-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-14-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/4656-17-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

        • memory/4656-18-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB