Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 00:49
Behavioral task
behavioral1
Sample
95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe
Resource
win7-20240508-en
General
-
Target
95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe
-
Size
1.3MB
-
MD5
5d81ee195a334c903eba273c2cc77f65
-
SHA1
139bd5905ac393dbf27b997e6a74ac34125b20e3
-
SHA256
95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb
-
SHA512
f068ad36a61757909f1aee007a0aad469d88b3dc279beb2340553d207ebc2ac5e8b3393b64fd835a4ed6292a4bd8c582345946f462d7c959acff207f8d9096c7
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZNNzRS:E5aIwC+Agr6StYCNK
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023422-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/1056-15-0x00000000021F0000-0x0000000002219000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
pid Process 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTcbPrivilege 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe Token: SeTcbPrivilege 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1056 95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2008 1056 95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe 81 PID 1056 wrote to memory of 2008 1056 95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe 81 PID 1056 wrote to memory of 2008 1056 95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe 81 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 2008 wrote to memory of 2336 2008 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 82 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 1580 wrote to memory of 3020 1580 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 93 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 PID 3428 wrote to memory of 4404 3428 96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe"C:\Users\Admin\AppData\Local\Temp\95b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exeC:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2336
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exeC:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3020
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exeC:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinSocket\96b276db9e8739da8cd2069caf8bd7ea939c44b37fdc9931f3b3c016ca3609bb.exe
Filesize1.3MB
MD55d81ee195a334c903eba273c2cc77f65
SHA1139bd5905ac393dbf27b997e6a74ac34125b20e3
SHA25695b265db8e7638da7cd2059caf7bd6ea939c44b36fdc9831f3b3c015ca3508bb
SHA512f068ad36a61757909f1aee007a0aad469d88b3dc279beb2340553d207ebc2ac5e8b3393b64fd835a4ed6292a4bd8c582345946f462d7c959acff207f8d9096c7
-
Filesize
32KB
MD5dbf95e1696da3081fd1a042c8a02e278
SHA187bfa58b07ee151f4bc9056ce740ba03ac3d650a
SHA256c8e69de104439eb8c32852f0bf7eef34e0e80898a61f88ebd4d3c6460334b589
SHA5126c9cc4bf7c9208fa3b0211ae9fd7ea9c3290f73bfb614a7360668db88a7cb0ab778833be64dffb7c863cee92083768f05ede3f8555453375e5a27e00e405d14a