Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 10:35
Behavioral task
behavioral1
Sample
a90cb60a7894ecc28d5be3ad83ea15a0N.exe
Resource
win7-20240704-en
General
-
Target
a90cb60a7894ecc28d5be3ad83ea15a0N.exe
-
Size
1.3MB
-
MD5
a90cb60a7894ecc28d5be3ad83ea15a0
-
SHA1
26832a83c7ac748809aa495561c7ab6c09011ac6
-
SHA256
510a2c74eb7ffb7f81747c6bfc9df95717386af59f45fbe9b895318aa3b88508
-
SHA512
22270da1485ef3417b2fa641870942b459b7604944c193e3920946c8d2860c4faf5930f2f6a0a213389d31ad9404b4086682bd4d43e81d1c857cdd0eeb2a5db0
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+sEDm1xzBZMhzNX:E5aIwC+Agr6SNasrsQm7BZczR
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016d31-20.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2780-15-0x00000000002A0000-0x00000000002C9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe -
Loads dropped DLL 2 IoCs
pid Process 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe -
pid Process 2712 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2584 sc.exe 2664 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a90cb70a8994ecc29d6be3ad93ea16a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a90cb60a7894ecc28d5be3ad83ea15a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a90cb70a8994ecc29d6be3ad93ea16a0N.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe Token: SeTcbPrivilege 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2872 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 30 PID 2780 wrote to memory of 2872 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 30 PID 2780 wrote to memory of 2872 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 30 PID 2780 wrote to memory of 2872 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 30 PID 2780 wrote to memory of 2676 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 31 PID 2780 wrote to memory of 2676 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 31 PID 2780 wrote to memory of 2676 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 31 PID 2780 wrote to memory of 2676 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 31 PID 2780 wrote to memory of 2628 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 33 PID 2780 wrote to memory of 2628 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 33 PID 2780 wrote to memory of 2628 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 33 PID 2780 wrote to memory of 2628 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 33 PID 2780 wrote to memory of 2864 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 36 PID 2780 wrote to memory of 2864 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 36 PID 2780 wrote to memory of 2864 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 36 PID 2780 wrote to memory of 2864 2780 a90cb60a7894ecc28d5be3ad83ea15a0N.exe 36 PID 2872 wrote to memory of 2584 2872 cmd.exe 37 PID 2872 wrote to memory of 2584 2872 cmd.exe 37 PID 2872 wrote to memory of 2584 2872 cmd.exe 37 PID 2872 wrote to memory of 2584 2872 cmd.exe 37 PID 2676 wrote to memory of 2664 2676 cmd.exe 38 PID 2676 wrote to memory of 2664 2676 cmd.exe 38 PID 2676 wrote to memory of 2664 2676 cmd.exe 38 PID 2676 wrote to memory of 2664 2676 cmd.exe 38 PID 2628 wrote to memory of 2712 2628 cmd.exe 39 PID 2628 wrote to memory of 2712 2628 cmd.exe 39 PID 2628 wrote to memory of 2712 2628 cmd.exe 39 PID 2628 wrote to memory of 2712 2628 cmd.exe 39 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 2864 wrote to memory of 572 2864 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 40 PID 1896 wrote to memory of 1912 1896 taskeng.exe 43 PID 1896 wrote to memory of 1912 1896 taskeng.exe 43 PID 1896 wrote to memory of 1912 1896 taskeng.exe 43 PID 1896 wrote to memory of 1912 1896 taskeng.exe 43 PID 1912 wrote to memory of 2444 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 44 PID 1912 wrote to memory of 2444 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 44 PID 1912 wrote to memory of 2444 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 44 PID 1912 wrote to memory of 2444 1912 a90cb70a8994ecc29d6be3ad93ea16a0N.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a90cb60a7894ecc28d5be3ad83ea15a0N.exe"C:\Users\Admin\AppData\Local\Temp\a90cb60a7894ecc28d5be3ad83ea15a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\a90cb70a8994ecc29d6be3ad93ea16a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\a90cb70a8994ecc29d6be3ad93ea16a0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:572
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A2E62E76-8405-4686-A49D-D389F801EF3E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\WinSocket\a90cb70a8994ecc29d6be3ad93ea16a0N.exeC:\Users\Admin\AppData\Roaming\WinSocket\a90cb70a8994ecc29d6be3ad93ea16a0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2444
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a90cb60a7894ecc28d5be3ad83ea15a0
SHA126832a83c7ac748809aa495561c7ab6c09011ac6
SHA256510a2c74eb7ffb7f81747c6bfc9df95717386af59f45fbe9b895318aa3b88508
SHA51222270da1485ef3417b2fa641870942b459b7604944c193e3920946c8d2860c4faf5930f2f6a0a213389d31ad9404b4086682bd4d43e81d1c857cdd0eeb2a5db0