Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 23:39
Behavioral task
behavioral1
Sample
21237b83e39b56108b33fa9208e20bd0N.exe
Resource
win7-20240708-en
General
-
Target
21237b83e39b56108b33fa9208e20bd0N.exe
-
Size
1.1MB
-
MD5
21237b83e39b56108b33fa9208e20bd0
-
SHA1
2da6620e429aaa64ae28c97e07411ad331dea04c
-
SHA256
dc45d3955a7ee5a57d9324bbadabd18a9163a77a558537eeb04ada72d6e1cd29
-
SHA512
24fef9944ee6813f744d6076eec1f91bef1540f0f9af4bd1b31cc352866a590ed864fb1b17ae8cef921d0f3563314bc4d81fa0ab5ddba164b6283298cfcaa770
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCC2SNh:E5aIwC+Agr6SNasrsFCi
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016c7c-26.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/1620-15-0x0000000000490000-0x00000000004B9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 3040 21238b93e39b67109b33fa9209e20bd0N.exe 2120 21238b93e39b67109b33fa9209e20bd0N.exe -
Loads dropped DLL 2 IoCs
pid Process 1620 21237b83e39b56108b33fa9208e20bd0N.exe 1620 21237b83e39b56108b33fa9208e20bd0N.exe -
pid Process 2608 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2568 sc.exe 2712 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21237b83e39b56108b33fa9208e20bd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21238b93e39b67109b33fa9209e20bd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21238b93e39b67109b33fa9209e20bd0N.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1620 21237b83e39b56108b33fa9208e20bd0N.exe 1620 21237b83e39b56108b33fa9208e20bd0N.exe 1620 21237b83e39b56108b33fa9208e20bd0N.exe 2608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2608 powershell.exe Token: SeTcbPrivilege 2120 21238b93e39b67109b33fa9209e20bd0N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1620 21237b83e39b56108b33fa9208e20bd0N.exe 3040 21238b93e39b67109b33fa9209e20bd0N.exe 2120 21238b93e39b67109b33fa9209e20bd0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2676 1620 21237b83e39b56108b33fa9208e20bd0N.exe 30 PID 1620 wrote to memory of 2676 1620 21237b83e39b56108b33fa9208e20bd0N.exe 30 PID 1620 wrote to memory of 2676 1620 21237b83e39b56108b33fa9208e20bd0N.exe 30 PID 1620 wrote to memory of 2676 1620 21237b83e39b56108b33fa9208e20bd0N.exe 30 PID 1620 wrote to memory of 2652 1620 21237b83e39b56108b33fa9208e20bd0N.exe 31 PID 1620 wrote to memory of 2652 1620 21237b83e39b56108b33fa9208e20bd0N.exe 31 PID 1620 wrote to memory of 2652 1620 21237b83e39b56108b33fa9208e20bd0N.exe 31 PID 1620 wrote to memory of 2652 1620 21237b83e39b56108b33fa9208e20bd0N.exe 31 PID 1620 wrote to memory of 2680 1620 21237b83e39b56108b33fa9208e20bd0N.exe 32 PID 1620 wrote to memory of 2680 1620 21237b83e39b56108b33fa9208e20bd0N.exe 32 PID 1620 wrote to memory of 2680 1620 21237b83e39b56108b33fa9208e20bd0N.exe 32 PID 1620 wrote to memory of 2680 1620 21237b83e39b56108b33fa9208e20bd0N.exe 32 PID 1620 wrote to memory of 3040 1620 21237b83e39b56108b33fa9208e20bd0N.exe 36 PID 1620 wrote to memory of 3040 1620 21237b83e39b56108b33fa9208e20bd0N.exe 36 PID 1620 wrote to memory of 3040 1620 21237b83e39b56108b33fa9208e20bd0N.exe 36 PID 1620 wrote to memory of 3040 1620 21237b83e39b56108b33fa9208e20bd0N.exe 36 PID 2676 wrote to memory of 2568 2676 cmd.exe 37 PID 2676 wrote to memory of 2568 2676 cmd.exe 37 PID 2676 wrote to memory of 2568 2676 cmd.exe 37 PID 2676 wrote to memory of 2568 2676 cmd.exe 37 PID 2652 wrote to memory of 2712 2652 cmd.exe 38 PID 2652 wrote to memory of 2712 2652 cmd.exe 38 PID 2652 wrote to memory of 2712 2652 cmd.exe 38 PID 2652 wrote to memory of 2712 2652 cmd.exe 38 PID 2680 wrote to memory of 2608 2680 cmd.exe 39 PID 2680 wrote to memory of 2608 2680 cmd.exe 39 PID 2680 wrote to memory of 2608 2680 cmd.exe 39 PID 2680 wrote to memory of 2608 2680 cmd.exe 39 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 3040 wrote to memory of 2188 3040 21238b93e39b67109b33fa9209e20bd0N.exe 40 PID 600 wrote to memory of 2120 600 taskeng.exe 42 PID 600 wrote to memory of 2120 600 taskeng.exe 42 PID 600 wrote to memory of 2120 600 taskeng.exe 42 PID 600 wrote to memory of 2120 600 taskeng.exe 42 PID 2120 wrote to memory of 1996 2120 21238b93e39b67109b33fa9209e20bd0N.exe 43 PID 2120 wrote to memory of 1996 2120 21238b93e39b67109b33fa9209e20bd0N.exe 43 PID 2120 wrote to memory of 1996 2120 21238b93e39b67109b33fa9209e20bd0N.exe 43 PID 2120 wrote to memory of 1996 2120 21238b93e39b67109b33fa9209e20bd0N.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21237b83e39b56108b33fa9208e20bd0N.exe"C:\Users\Admin\AppData\Local\Temp\21237b83e39b56108b33fa9208e20bd0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2188
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5078C905-F000-4E5D-A796-B6F62ED5D775} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1996
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD521237b83e39b56108b33fa9208e20bd0
SHA12da6620e429aaa64ae28c97e07411ad331dea04c
SHA256dc45d3955a7ee5a57d9324bbadabd18a9163a77a558537eeb04ada72d6e1cd29
SHA51224fef9944ee6813f744d6076eec1f91bef1540f0f9af4bd1b31cc352866a590ed864fb1b17ae8cef921d0f3563314bc4d81fa0ab5ddba164b6283298cfcaa770