Overview

overview

10

Static

static

10

c3ac2cb750...eN.exe

windows7-x64

10

c3ac2cb750...eN.exe

windows10-2004-x64

10

Resubmissions

23-09-2024 08:07

240923-jz9k4szara 10

22-09-2024 14:12

240922-rh8lgstbrf 10

Analysis

  • max time kernel
    70s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe

  • Size

    1.5MB

  • MD5

    e83ae2bb70cc2c59c4829d7f7fa88cb0

  • SHA1

    7c0ee8a76e4f2518fb3c67c4a4df4f8566eb7016

  • SHA256

    c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01e

  • SHA512

    1a143a95ef9d1aeeefa31a851adc65ef1db4ebf2323107eb2f633435fb8358acc70541015caf86c48b44fb8fc95c8669d1585c2935116f173e9d32ce6989051d

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6xQtpj/Yz6XVSvmHaZkI+oq6dTnHv5yIi734DHr0ESjdkMwa7:E5aIwC+Agr6St1lOqq+jCpLWgO

Score
10/10
kpottrickbotbankerdiscoveryevasionexecutionstealertrojan

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
    "C:\Users\Admin\AppData\Local\Temp\c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
    • C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1904
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2004
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {952A9AC9-E793-4710-834E-96AC1AB3C3F5} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:264
        • C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
          C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:324
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            3⤵
              PID:1708

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          050857d1c290e044817fc759f5f91598

          SHA1

          e5695da9b9d022a878fda756816f7a6808ea4fba

          SHA256

          6f92e86b8ba176c33aa3f5f011410abd749597c893e2b9f6e5fda7442d098955

          SHA512

          8ac9ae47771e1f73061b6c573bd2c471aa035fe7a82c582fdb9389da4b1c3ed1eedc8f0e26107df35cdb4a683b1de90eaffe0f6892324fc0405f3dcf7c2f23ef

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
          Filesize

          1.5MB

          MD5

          e83ae2bb70cc2c59c4829d7f7fa88cb0

          SHA1

          7c0ee8a76e4f2518fb3c67c4a4df4f8566eb7016

          SHA256

          c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01e

          SHA512

          1a143a95ef9d1aeeefa31a851adc65ef1db4ebf2323107eb2f633435fb8358acc70541015caf86c48b44fb8fc95c8669d1585c2935116f173e9d32ce6989051d

          Download Submit

        • memory/2004-49-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2004-50-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2540-10-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-7-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-12-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-11-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-2-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-9-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-8-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-15-0x00000000002B0000-0x00000000002D9000-memory.dmp

          Filesize

          164KB

          Download

        • memory/2540-6-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-5-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-4-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-3-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-14-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-18-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

          Download

        • memory/2540-17-0x0000000000421000-0x0000000000422000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2540-13-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-39-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-38-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-37-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-34-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-30-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-40-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2736-44-0x0000000000400000-0x0000000000472000-memory.dmp

          Filesize

          456KB

          Download

        • memory/2736-45-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

          Download