Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 04:02
Behavioral task
behavioral1
Sample
d804e70c7b5fd8d9c308278e03dc94a0N.exe
Resource
win7-20240704-en
General
-
Target
d804e70c7b5fd8d9c308278e03dc94a0N.exe
-
Size
1.2MB
-
MD5
d804e70c7b5fd8d9c308278e03dc94a0
-
SHA1
965eb9430e085481861b927cc721a33bcc1d62e8
-
SHA256
044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
-
SHA512
147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCCCqR:E5aIwC+Agr6SNasrsFCZqR
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023423-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/4768-15-0x0000000002960000-0x0000000002989000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d804e70c7b5fd8d9c308278e03dc94a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d904e80c8b6fd9d9c309289e03dc94a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4768 d804e70c7b5fd8d9c308278e03dc94a0N.exe 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1944 4768 d804e70c7b5fd8d9c308278e03dc94a0N.exe 84 PID 4768 wrote to memory of 1944 4768 d804e70c7b5fd8d9c308278e03dc94a0N.exe 84 PID 4768 wrote to memory of 1944 4768 d804e70c7b5fd8d9c308278e03dc94a0N.exe 84 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1944 wrote to memory of 5028 1944 d904e80c8b6fd9d9c309289e03dc94a0N.exe 85 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 PID 1964 wrote to memory of 4408 1964 d904e80c8b6fd9d9c309289e03dc94a0N.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d804e70c7b5fd8d9c308278e03dc94a0N.exe"C:\Users\Admin\AppData\Local\Temp\d804e70c7b5fd8d9c308278e03dc94a0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:5028
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\d904e80c8b6fd9d9c309289e03dc94a0N.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d804e70c7b5fd8d9c308278e03dc94a0
SHA1965eb9430e085481861b927cc721a33bcc1d62e8
SHA256044ce8c84830aa4f340192a66ea1df8c197a4350cece903569ecc504bfda8b88
SHA512147d4ae3d763c97352077768c083419133d10ebf8a19a3eb9516ad8584891ff0628ad7ab2967e85278ecdb857a311435069d25c43c7dac3479edfc22b0687b84