Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 22:38
Behavioral task
behavioral1
Sample
7dcee7047f1eb19c5412c99a6f967190N.exe
Resource
win7-20240708-en
General
-
Target
7dcee7047f1eb19c5412c99a6f967190N.exe
-
Size
1.4MB
-
MD5
7dcee7047f1eb19c5412c99a6f967190
-
SHA1
495b5b63ba37ba404de56f6e1b3f6702a3947ce8
-
SHA256
4ea3b32ca07f0a39906da12c1cae3a75b9d34d7866058c600f3d38e43bd934fa
-
SHA512
cf7000951a0d64271866028e1b2737293c9bb7825c158120cd7a93e8a8201352355c27c2ded735d25a1699016174908ae3096b3b2d26f003484e300e8dc42fb4
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQtpj/Yz6XVSvmHaZkI+oq6dTnHv5yIi734DHr0ESjdkl:E5aIwC+Agr6St1lOqq+jCpLWU
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234ef-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/764-15-0x0000000002320000-0x0000000002349000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 4448 8dcee8048f1eb19c6412c99a7f978190N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dcee7047f1eb19c5412c99a6f967190N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dcee8048f1eb19c6412c99a7f978190N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dcee8048f1eb19c6412c99a7f978190N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 4448 8dcee8048f1eb19c6412c99a7f978190N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 764 7dcee7047f1eb19c5412c99a6f967190N.exe 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 4448 8dcee8048f1eb19c6412c99a7f978190N.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 764 wrote to memory of 4988 764 7dcee7047f1eb19c5412c99a6f967190N.exe 85 PID 764 wrote to memory of 4988 764 7dcee7047f1eb19c5412c99a6f967190N.exe 85 PID 764 wrote to memory of 4988 764 7dcee7047f1eb19c5412c99a6f967190N.exe 85 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4988 wrote to memory of 4264 4988 8dcee8048f1eb19c6412c99a7f978190N.exe 87 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 PID 4448 wrote to memory of 2800 4448 8dcee8048f1eb19c6412c99a7f978190N.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dcee7047f1eb19c5412c99a6f967190N.exe"C:\Users\Admin\AppData\Local\Temp\7dcee7047f1eb19c5412c99a6f967190N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Roaming\WinSocket\8dcee8048f1eb19c6412c99a7f978190N.exeC:\Users\Admin\AppData\Roaming\WinSocket\8dcee8048f1eb19c6412c99a7f978190N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4264
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\8dcee8048f1eb19c6412c99a7f978190N.exeC:\Users\Admin\AppData\Roaming\WinSocket\8dcee8048f1eb19c6412c99a7f978190N.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD57dcee7047f1eb19c5412c99a6f967190
SHA1495b5b63ba37ba404de56f6e1b3f6702a3947ce8
SHA2564ea3b32ca07f0a39906da12c1cae3a75b9d34d7866058c600f3d38e43bd934fa
SHA512cf7000951a0d64271866028e1b2737293c9bb7825c158120cd7a93e8a8201352355c27c2ded735d25a1699016174908ae3096b3b2d26f003484e300e8dc42fb4