Analysis
-
max time kernel
112s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 19:32
Behavioral task
behavioral1
Sample
8b35a9361bac82977892d572c5e1e600N.exe
Resource
win7-20240708-en
General
-
Target
8b35a9361bac82977892d572c5e1e600N.exe
-
Size
1.3MB
-
MD5
8b35a9361bac82977892d572c5e1e600
-
SHA1
1585d62b466c2c9f598de8a68348c9e18d60f546
-
SHA256
a5c2ce8576ecdee9b5018115ce3791a2fad5960939c4a39b88e6d2e96ecefc10
-
SHA512
e13c5f8aa67fa84195d88fb6009ab780016d5d941b54d557d0de3215dc5647f59a1642ce2ff9d2246bef2c3ab1e26a292c11407950889ec47763806d17f2ab6e
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+sEDm1xzBZMge:E5aIwC+Agr6SNasrsQm7BZa
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234b6-21.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/3000-16-0x00000000029C0000-0x00000000029E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 1548 9b36a9371bac92988992d682c6e1e700N.exe 1616 9b36a9371bac92988992d682c6e1e700N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b36a9371bac92988992d682c6e1e700N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b36a9371bac92988992d682c6e1e700N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b35a9361bac82977892d572c5e1e600N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1616 9b36a9371bac92988992d682c6e1e700N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3000 8b35a9361bac82977892d572c5e1e600N.exe 1548 9b36a9371bac92988992d682c6e1e700N.exe 1616 9b36a9371bac92988992d682c6e1e700N.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1548 3000 8b35a9361bac82977892d572c5e1e600N.exe 85 PID 3000 wrote to memory of 1548 3000 8b35a9361bac82977892d572c5e1e600N.exe 85 PID 3000 wrote to memory of 1548 3000 8b35a9361bac82977892d572c5e1e600N.exe 85 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1548 wrote to memory of 3848 1548 9b36a9371bac92988992d682c6e1e700N.exe 87 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 PID 1616 wrote to memory of 4048 1616 9b36a9371bac92988992d682c6e1e700N.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b35a9361bac82977892d572c5e1e600N.exe"C:\Users\Admin\AppData\Local\Temp\8b35a9361bac82977892d572c5e1e600N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\WinSocket\9b36a9371bac92988992d682c6e1e700N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9b36a9371bac92988992d682c6e1e700N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3848
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\9b36a9371bac92988992d682c6e1e700N.exeC:\Users\Admin\AppData\Roaming\WinSocket\9b36a9371bac92988992d682c6e1e700N.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58b35a9361bac82977892d572c5e1e600
SHA11585d62b466c2c9f598de8a68348c9e18d60f546
SHA256a5c2ce8576ecdee9b5018115ce3791a2fad5960939c4a39b88e6d2e96ecefc10
SHA512e13c5f8aa67fa84195d88fb6009ab780016d5d941b54d557d0de3215dc5647f59a1642ce2ff9d2246bef2c3ab1e26a292c11407950889ec47763806d17f2ab6e