Analysis
-
max time kernel
71s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 05:49
Behavioral task
behavioral1
Sample
9bd84e7b65bfd37ccfb3ed0102b46050N.exe
Resource
win7-20240708-en
General
-
Target
9bd84e7b65bfd37ccfb3ed0102b46050N.exe
-
Size
1.1MB
-
MD5
9bd84e7b65bfd37ccfb3ed0102b46050
-
SHA1
03e00b0cb591ebd79caf23294c7eae8cd81c0a57
-
SHA256
6e75417949055210a48b9479d4ec68c247440d4ff4bf2bafef01c1a3099715ab
-
SHA512
5809951ce1e86b4414cf8b0f5fd9064cdf6301f2ac8d25d7afd091c4c484e3f8a3c59123b936efe118353192befee983879caae5a98a388c7597395b3bf7e4fd
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCC1:E5aIwC+Agr6SNasrsFCA
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000019419-26.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/1964-15-0x00000000003D0000-0x00000000003F9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 2012 9bd94e8b76bfd38ccfb3ed0102b47060N.exe -
Loads dropped DLL 2 IoCs
pid Process 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe -
pid Process 2908 powershell.exe 2640 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2328 sc.exe 2332 sc.exe 2632 sc.exe 2636 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bd94e8b76bfd38ccfb3ed0102b47060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bd84e7b65bfd37ccfb3ed0102b46050N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bd94e8b76bfd38ccfb3ed0102b47060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 2908 powershell.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeTcbPrivilege 2012 9bd94e8b76bfd38ccfb3ed0102b47060N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 2012 9bd94e8b76bfd38ccfb3ed0102b47060N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2568 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 30 PID 1964 wrote to memory of 2568 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 30 PID 1964 wrote to memory of 2568 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 30 PID 1964 wrote to memory of 2568 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 30 PID 1964 wrote to memory of 2704 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 31 PID 1964 wrote to memory of 2704 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 31 PID 1964 wrote to memory of 2704 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 31 PID 1964 wrote to memory of 2704 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 31 PID 1964 wrote to memory of 2488 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 33 PID 1964 wrote to memory of 2488 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 33 PID 1964 wrote to memory of 2488 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 33 PID 1964 wrote to memory of 2488 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 33 PID 1964 wrote to memory of 2832 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 36 PID 1964 wrote to memory of 2832 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 36 PID 1964 wrote to memory of 2832 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 36 PID 1964 wrote to memory of 2832 1964 9bd84e7b65bfd37ccfb3ed0102b46050N.exe 36 PID 2832 wrote to memory of 1196 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 38 PID 2832 wrote to memory of 1196 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 38 PID 2832 wrote to memory of 1196 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 38 PID 2832 wrote to memory of 1196 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 38 PID 2832 wrote to memory of 2748 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 39 PID 2832 wrote to memory of 2748 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 39 PID 2832 wrote to memory of 2748 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 39 PID 2832 wrote to memory of 2748 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 39 PID 2832 wrote to memory of 2780 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 40 PID 2832 wrote to memory of 2780 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 40 PID 2832 wrote to memory of 2780 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 40 PID 2832 wrote to memory of 2780 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 40 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2832 wrote to memory of 2608 2832 9bd94e8b76bfd38ccfb3ed0102b47060N.exe 41 PID 2488 wrote to memory of 2640 2488 cmd.exe 44 PID 2488 wrote to memory of 2640 2488 cmd.exe 44 PID 2488 wrote to memory of 2640 2488 cmd.exe 44 PID 2488 wrote to memory of 2640 2488 cmd.exe 44 PID 2568 wrote to memory of 2636 2568 cmd.exe 37 PID 2568 wrote to memory of 2636 2568 cmd.exe 37 PID 2568 wrote to memory of 2636 2568 cmd.exe 37 PID 2568 wrote to memory of 2636 2568 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bd84e7b65bfd37ccfb3ed0102b46050N.exe"C:\Users\Admin\AppData\Local\Temp\9bd84e7b65bfd37ccfb3ed0102b46050N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\9bd94e8b76bfd38ccfb3ed0102b47060N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9bd94e8b76bfd38ccfb3ed0102b47060N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2608
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {148C0CCD-C206-4B48-A697-CB999D7FCFB0} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2428
-
C:\Users\Admin\AppData\Roaming\WinSocket\9bd94e8b76bfd38ccfb3ed0102b47060N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9bd94e8b76bfd38ccfb3ed0102b47060N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSE18YVDGOO9WBYVT292.temp
Filesize7KB
MD5738e0ab6f4f5e666af4a75cb2190ac24
SHA12eed1f6e4e410d6e2ea5e8a0ef2ab950ed2c8079
SHA25625cb030a0e1be33ce5e87621c8c99d7c23b3967d914cb77928795d351a07ea7d
SHA512e59d7ea1c02a9f6e15834918c56d61679452c78993004e76f87304cfd25960eee81a4d7080be9a598c79573cf9b9b9c93e3890f40cbc23a6e2935715d5337510
-
Filesize
1.1MB
MD59bd84e7b65bfd37ccfb3ed0102b46050
SHA103e00b0cb591ebd79caf23294c7eae8cd81c0a57
SHA2566e75417949055210a48b9479d4ec68c247440d4ff4bf2bafef01c1a3099715ab
SHA5125809951ce1e86b4414cf8b0f5fd9064cdf6301f2ac8d25d7afd091c4c484e3f8a3c59123b936efe118353192befee983879caae5a98a388c7597395b3bf7e4fd