Analysis
-
max time kernel
134s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 21:19
Behavioral task
behavioral1
Sample
07a93d1b791f806cb9a2a24251e7f410.exe
Resource
win7-20240705-en
General
-
Target
07a93d1b791f806cb9a2a24251e7f410.exe
-
Size
1.2MB
-
MD5
07a93d1b791f806cb9a2a24251e7f410
-
SHA1
9fe049e30a34792d8fab0d2d3b72ae736fb84ee7
-
SHA256
9933b6a09784801f5015300af6a49b0092513c41fec22cc76d51f031af0813c0
-
SHA512
6f009fa1f008a83f109646594e80d265a17fbfc3060e18af2257b20ede2dc5c585ef28a16c9ccea91db6aed1bdc8aad38ee4adc18207c596431bd1d9a8362d89
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZQZOx:E5aIwC+Agr6StYCfx
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000017389-22.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2056-15-0x0000000000290000-0x00000000002B9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
pid Process 2944 08a93d1b891f907cb9a2a24261e8f410.exe 1152 08a93d1b891f907cb9a2a24261e8f410.exe 1680 08a93d1b891f907cb9a2a24261e8f410.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 07a93d1b791f806cb9a2a24251e7f410.exe 2056 07a93d1b791f806cb9a2a24251e7f410.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2740 sc.exe 2640 sc.exe 2748 sc.exe 2612 sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2056 07a93d1b791f806cb9a2a24251e7f410.exe 2056 07a93d1b791f806cb9a2a24251e7f410.exe 2056 07a93d1b791f806cb9a2a24251e7f410.exe 2944 08a93d1b891f907cb9a2a24261e8f410.exe 2944 08a93d1b891f907cb9a2a24261e8f410.exe 2944 08a93d1b891f907cb9a2a24261e8f410.exe 2684 powershell.exe 2736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeTcbPrivilege 1152 08a93d1b891f907cb9a2a24261e8f410.exe Token: SeTcbPrivilege 1680 08a93d1b891f907cb9a2a24261e8f410.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2056 07a93d1b791f806cb9a2a24251e7f410.exe 2944 08a93d1b891f907cb9a2a24261e8f410.exe 1152 08a93d1b891f907cb9a2a24261e8f410.exe 1680 08a93d1b891f907cb9a2a24261e8f410.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2420 2056 07a93d1b791f806cb9a2a24251e7f410.exe 30 PID 2056 wrote to memory of 2420 2056 07a93d1b791f806cb9a2a24251e7f410.exe 30 PID 2056 wrote to memory of 2420 2056 07a93d1b791f806cb9a2a24251e7f410.exe 30 PID 2056 wrote to memory of 2420 2056 07a93d1b791f806cb9a2a24251e7f410.exe 30 PID 2056 wrote to memory of 2520 2056 07a93d1b791f806cb9a2a24251e7f410.exe 31 PID 2056 wrote to memory of 2520 2056 07a93d1b791f806cb9a2a24251e7f410.exe 31 PID 2056 wrote to memory of 2520 2056 07a93d1b791f806cb9a2a24251e7f410.exe 31 PID 2056 wrote to memory of 2520 2056 07a93d1b791f806cb9a2a24251e7f410.exe 31 PID 2056 wrote to memory of 1824 2056 07a93d1b791f806cb9a2a24251e7f410.exe 32 PID 2056 wrote to memory of 1824 2056 07a93d1b791f806cb9a2a24251e7f410.exe 32 PID 2056 wrote to memory of 1824 2056 07a93d1b791f806cb9a2a24251e7f410.exe 32 PID 2056 wrote to memory of 1824 2056 07a93d1b791f806cb9a2a24251e7f410.exe 32 PID 2056 wrote to memory of 2944 2056 07a93d1b791f806cb9a2a24251e7f410.exe 36 PID 2056 wrote to memory of 2944 2056 07a93d1b791f806cb9a2a24251e7f410.exe 36 PID 2056 wrote to memory of 2944 2056 07a93d1b791f806cb9a2a24251e7f410.exe 36 PID 2056 wrote to memory of 2944 2056 07a93d1b791f806cb9a2a24251e7f410.exe 36 PID 1824 wrote to memory of 2736 1824 cmd.exe 38 PID 1824 wrote to memory of 2736 1824 cmd.exe 38 PID 1824 wrote to memory of 2736 1824 cmd.exe 38 PID 1824 wrote to memory of 2736 1824 cmd.exe 38 PID 2420 wrote to memory of 2748 2420 cmd.exe 37 PID 2420 wrote to memory of 2748 2420 cmd.exe 37 PID 2420 wrote to memory of 2748 2420 cmd.exe 37 PID 2420 wrote to memory of 2748 2420 cmd.exe 37 PID 2520 wrote to memory of 2740 2520 cmd.exe 39 PID 2520 wrote to memory of 2740 2520 cmd.exe 39 PID 2520 wrote to memory of 2740 2520 cmd.exe 39 PID 2520 wrote to memory of 2740 2520 cmd.exe 39 PID 2944 wrote to memory of 2908 2944 08a93d1b891f907cb9a2a24261e8f410.exe 40 PID 2944 wrote to memory of 2908 2944 08a93d1b891f907cb9a2a24261e8f410.exe 40 PID 2944 wrote to memory of 2908 2944 08a93d1b891f907cb9a2a24261e8f410.exe 40 PID 2944 wrote to memory of 2908 2944 08a93d1b891f907cb9a2a24261e8f410.exe 40 PID 2944 wrote to memory of 2724 2944 08a93d1b891f907cb9a2a24261e8f410.exe 41 PID 2944 wrote to memory of 2724 2944 08a93d1b891f907cb9a2a24261e8f410.exe 41 PID 2944 wrote to memory of 2724 2944 08a93d1b891f907cb9a2a24261e8f410.exe 41 PID 2944 wrote to memory of 2724 2944 08a93d1b891f907cb9a2a24261e8f410.exe 41 PID 2944 wrote to memory of 2916 2944 08a93d1b891f907cb9a2a24261e8f410.exe 42 PID 2944 wrote to memory of 2916 2944 08a93d1b891f907cb9a2a24261e8f410.exe 42 PID 2944 wrote to memory of 2916 2944 08a93d1b891f907cb9a2a24261e8f410.exe 42 PID 2944 wrote to memory of 2916 2944 08a93d1b891f907cb9a2a24261e8f410.exe 42 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 PID 2944 wrote to memory of 2636 2944 08a93d1b891f907cb9a2a24261e8f410.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a93d1b791f806cb9a2a24251e7f410.exe"C:\Users\Admin\AppData\Local\Temp\07a93d1b791f806cb9a2a24251e7f410.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exeC:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵PID:2908
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵PID:2724
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵PID:2916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2636
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {67DA22F5-BCA9-45D5-94BB-52F1F60A0A56} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2268
-
C:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exeC:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:408
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exeC:\Users\Admin\AppData\Roaming\WinSocket\08a93d1b891f907cb9a2a24261e8f410.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5162a950c4f9e104f4f35da91bc3370c6
SHA1c7ac14fc4b42346e23496627b812abedc152eb43
SHA2566d539accdc3fed31998fe32f433f66d67ed05df59477439855ec157694055ba6
SHA512c81866d049df8138d4b0dc897f467ee8df0ebbcd3f26cb67a4204067c8163e665a194ad28868cd16f597a6a29e3237d364bfb066e19a11b000f2a132aa11ad30
-
Filesize
1.2MB
MD507a93d1b791f806cb9a2a24251e7f410
SHA19fe049e30a34792d8fab0d2d3b72ae736fb84ee7
SHA2569933b6a09784801f5015300af6a49b0092513c41fec22cc76d51f031af0813c0
SHA5126f009fa1f008a83f109646594e80d265a17fbfc3060e18af2257b20ede2dc5c585ef28a16c9ccea91db6aed1bdc8aad38ee4adc18207c596431bd1d9a8362d89