Analysis
-
max time kernel
134s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 18:13
Behavioral task
behavioral1
Sample
044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe
Resource
win7-20240729-en
General
-
Target
044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe
-
Size
1.2MB
-
MD5
d804e70c7b5fd8d9c308278e03dc94a0
-
SHA1
965eb9430e085481861b927cc721a33bcc1d62e8
-
SHA256
044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
-
SHA512
147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCCCqR:E5aIwC+Agr6SNasrsFCZqR
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x000800000001752b-25.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2088-15-0x0000000000580000-0x00000000005A9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
pid Process 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 2052 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 768 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe -
Loads dropped DLL 2 IoCs
pid Process 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe -
pid Process 2556 powershell.exe 2732 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2628 sc.exe 2940 sc.exe 2640 sc.exe 2656 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 2732 powershell.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeTcbPrivilege 2052 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe Token: SeTcbPrivilege 768 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 2052 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 768 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2380 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 30 PID 2088 wrote to memory of 2380 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 30 PID 2088 wrote to memory of 2380 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 30 PID 2088 wrote to memory of 2380 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 30 PID 2088 wrote to memory of 2596 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 31 PID 2088 wrote to memory of 2596 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 31 PID 2088 wrote to memory of 2596 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 31 PID 2088 wrote to memory of 2596 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 31 PID 2088 wrote to memory of 2944 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 32 PID 2088 wrote to memory of 2944 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 32 PID 2088 wrote to memory of 2944 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 32 PID 2088 wrote to memory of 2944 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 32 PID 2088 wrote to memory of 2128 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 34 PID 2088 wrote to memory of 2128 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 34 PID 2088 wrote to memory of 2128 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 34 PID 2088 wrote to memory of 2128 2088 044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe 34 PID 2596 wrote to memory of 2640 2596 cmd.exe 39 PID 2596 wrote to memory of 2640 2596 cmd.exe 39 PID 2596 wrote to memory of 2640 2596 cmd.exe 39 PID 2596 wrote to memory of 2640 2596 cmd.exe 39 PID 2380 wrote to memory of 2656 2380 cmd.exe 38 PID 2380 wrote to memory of 2656 2380 cmd.exe 38 PID 2380 wrote to memory of 2656 2380 cmd.exe 38 PID 2380 wrote to memory of 2656 2380 cmd.exe 38 PID 2128 wrote to memory of 2688 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 37 PID 2128 wrote to memory of 2688 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 37 PID 2128 wrote to memory of 2688 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 37 PID 2128 wrote to memory of 2688 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 37 PID 2944 wrote to memory of 2732 2944 cmd.exe 40 PID 2944 wrote to memory of 2732 2944 cmd.exe 40 PID 2944 wrote to memory of 2732 2944 cmd.exe 40 PID 2944 wrote to memory of 2732 2944 cmd.exe 40 PID 2128 wrote to memory of 2736 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 41 PID 2128 wrote to memory of 2736 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 41 PID 2128 wrote to memory of 2736 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 41 PID 2128 wrote to memory of 2736 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 41 PID 2128 wrote to memory of 2824 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 43 PID 2128 wrote to memory of 2824 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 43 PID 2128 wrote to memory of 2824 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 43 PID 2128 wrote to memory of 2824 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 43 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 PID 2128 wrote to memory of 2648 2128 044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe"C:\Users\Admin\AppData\Local\Temp\044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exeC:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2648
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {29180811-85E7-4239-990F-D14CF3F091CE} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2144
-
C:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exeC:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1048
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exeC:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A646BS9FRCNSBJJCHV7X.temp
Filesize7KB
MD5e471ec4d912ba58b38ee2dc2e5d6b6c5
SHA1df05b18c4ba82ddec6862dbfc66210ed48f0fba3
SHA256711bf329ac6e41ba3e1410bb3acdf5b36f01cb73b036dfa41b1b5ee26fc58e1a
SHA512bfd8fc4c4e728c5c32a3d239040977bc990692e9670b9dceabb093f9bdb60711dfde6a5be42876dfee075db864ab1e5f84bed8fb43daaa064f40123ec36b84a8
-
C:\Users\Admin\AppData\Roaming\WinSocket\044ce9c94930aa4f340192a77ea1df9c198a4360cece903679ecc604bfda9b99.exe
Filesize1.2MB
MD5d804e70c7b5fd8d9c308278e03dc94a0
SHA1965eb9430e085481861b927cc721a33bcc1d62e8
SHA256044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
SHA512147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84