Analysis
-
max time kernel
70s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 04:02
Behavioral task
behavioral1
Sample
d804e70c7b5fd8d9c308278e03dc94a0N.exe
Resource
win7-20240704-en
General
-
Target
d804e70c7b5fd8d9c308278e03dc94a0N.exe
-
Size
1.2MB
-
MD5
d804e70c7b5fd8d9c308278e03dc94a0
-
SHA1
965eb9430e085481861b927cc721a33bcc1d62e8
-
SHA256
044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
-
SHA512
147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCCCqR:E5aIwC+Agr6SNasrsFCZqR
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016cf0-22.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2632-15-0x0000000000310000-0x0000000000339000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Loads dropped DLL 2 IoCs
pid Process 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe -
pid Process 2712 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2132 sc.exe 752 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d904e80c8b6fd9d9c309289e03dc94a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d904e80c8b6fd9d9c309289e03dc94a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d804e70c7b5fd8d9c308278e03dc94a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe Token: SeTcbPrivilege 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2800 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 31 PID 2632 wrote to memory of 2800 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 31 PID 2632 wrote to memory of 2800 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 31 PID 2632 wrote to memory of 2800 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 31 PID 2632 wrote to memory of 2988 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 32 PID 2632 wrote to memory of 2988 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 32 PID 2632 wrote to memory of 2988 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 32 PID 2632 wrote to memory of 2988 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 32 PID 2632 wrote to memory of 2836 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 33 PID 2632 wrote to memory of 2836 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 33 PID 2632 wrote to memory of 2836 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 33 PID 2632 wrote to memory of 2836 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 33 PID 2632 wrote to memory of 2832 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 35 PID 2632 wrote to memory of 2832 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 35 PID 2632 wrote to memory of 2832 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 35 PID 2632 wrote to memory of 2832 2632 d804e70c7b5fd8d9c308278e03dc94a0N.exe 35 PID 2800 wrote to memory of 2132 2800 cmd.exe 38 PID 2800 wrote to memory of 2132 2800 cmd.exe 38 PID 2800 wrote to memory of 2132 2800 cmd.exe 38 PID 2800 wrote to memory of 2132 2800 cmd.exe 38 PID 2836 wrote to memory of 2712 2836 cmd.exe 39 PID 2836 wrote to memory of 2712 2836 cmd.exe 39 PID 2836 wrote to memory of 2712 2836 cmd.exe 39 PID 2836 wrote to memory of 2712 2836 cmd.exe 39 PID 2988 wrote to memory of 752 2988 cmd.exe 40 PID 2988 wrote to memory of 752 2988 cmd.exe 40 PID 2988 wrote to memory of 752 2988 cmd.exe 40 PID 2988 wrote to memory of 752 2988 cmd.exe 40 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2832 wrote to memory of 1340 2832 d904e80c8b6fd9d9c309289e03dc94a0N.exe 41 PID 2916 wrote to memory of 556 2916 taskeng.exe 43 PID 2916 wrote to memory of 556 2916 taskeng.exe 43 PID 2916 wrote to memory of 556 2916 taskeng.exe 43 PID 2916 wrote to memory of 556 2916 taskeng.exe 43 PID 556 wrote to memory of 2076 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe 44 PID 556 wrote to memory of 2076 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe 44 PID 556 wrote to memory of 2076 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe 44 PID 556 wrote to memory of 2076 556 d904e80c8b6fd9d9c309289e03dc94a0N.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d804e70c7b5fd8d9c308278e03dc94a0N.exe"C:\Users\Admin\AppData\Local\Temp\d804e70c7b5fd8d9c308278e03dc94a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2132
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1340
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9BACF556-23E5-402C-8DAE-24D532284D73} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2076
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d804e70c7b5fd8d9c308278e03dc94a0
SHA1965eb9430e085481861b927cc721a33bcc1d62e8
SHA256044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
SHA512147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84