Analysis
-
max time kernel
101s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 07:47
Behavioral task
behavioral1
Sample
8a03db3f14892a390eb4875ee18bb190N.exe
Resource
win7-20240704-en
General
-
Target
8a03db3f14892a390eb4875ee18bb190N.exe
-
Size
901KB
-
MD5
8a03db3f14892a390eb4875ee18bb190
-
SHA1
7e252e81df515fa0be26117f8f5029fc524d9daf
-
SHA256
9682e11a5e2c8264134bdd1cfbc821311ca20423e8fa6205258e88a06414ce9e
-
SHA512
8499230ced9c41eb31b39228a7a84b3a6a2a10cd31b47cb0f40e1d8f8f07a473405c57a45abf79f06b9a134a79373ab821d707b19cc85e9a87a576d1ea3b84ec
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm13JPAVMB:E5aIwC+Agr6S/FpJPA6B
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x000700000002348a-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/316-15-0x0000000002BB0000-0x0000000002BD9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 4916 9a03db3f14992a390eb4986ee19bb190N.exe 2904 9a03db3f14992a390eb4986ee19bb190N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a03db3f14892a390eb4875ee18bb190N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a03db3f14992a390eb4986ee19bb190N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a03db3f14992a390eb4986ee19bb190N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 2904 9a03db3f14992a390eb4986ee19bb190N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 316 8a03db3f14892a390eb4875ee18bb190N.exe 4916 9a03db3f14992a390eb4986ee19bb190N.exe 2904 9a03db3f14992a390eb4986ee19bb190N.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 316 wrote to memory of 4916 316 8a03db3f14892a390eb4875ee18bb190N.exe 85 PID 316 wrote to memory of 4916 316 8a03db3f14892a390eb4875ee18bb190N.exe 85 PID 316 wrote to memory of 4916 316 8a03db3f14892a390eb4875ee18bb190N.exe 85 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 4916 wrote to memory of 1004 4916 9a03db3f14992a390eb4986ee19bb190N.exe 86 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 PID 2904 wrote to memory of 1156 2904 9a03db3f14992a390eb4986ee19bb190N.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a03db3f14892a390eb4875ee18bb190N.exe"C:\Users\Admin\AppData\Local\Temp\8a03db3f14892a390eb4875ee18bb190N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\WinSocket\9a03db3f14992a390eb4986ee19bb190N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9a03db3f14992a390eb4986ee19bb190N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1004
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\9a03db3f14992a390eb4986ee19bb190N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9a03db3f14992a390eb4986ee19bb190N.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
901KB
MD58a03db3f14892a390eb4875ee18bb190
SHA17e252e81df515fa0be26117f8f5029fc524d9daf
SHA2569682e11a5e2c8264134bdd1cfbc821311ca20423e8fa6205258e88a06414ce9e
SHA5128499230ced9c41eb31b39228a7a84b3a6a2a10cd31b47cb0f40e1d8f8f07a473405c57a45abf79f06b9a134a79373ab821d707b19cc85e9a87a576d1ea3b84ec