Analysis
-
max time kernel
66s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 05:20
Behavioral task
behavioral1
Sample
NEAS.466623ad0a51ad3a78040360a82ec0e0.exe
Resource
win7-20231020-en
General
-
Target
NEAS.466623ad0a51ad3a78040360a82ec0e0.exe
-
Size
711KB
-
MD5
466623ad0a51ad3a78040360a82ec0e0
-
SHA1
c23b990adc2a023385da2da5945663c6445b30a9
-
SHA256
0b33cc60914d167c86757b0483a329de4b127f970a7ce535ae261d4db21ce683
-
SHA512
90dc18c71d264d341ac7cf8ae15ae06f7e737b06b295fa185e8782161b925ca8cfc3cc872e46c1d04cfa6025f82795e2b6b1422853389f9de4c8884e4647155e
-
SSDEEP
12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQGCsksQjn6YHldGs8ux:zQ5aILMCfmAUjzX6xQGCZLFdGfux
Malware Config
Signatures
-
KPOT Core Executable 3 IoCs
resource yara_rule behavioral2/files/0x0008000000022dfe-22.dat family_kpot behavioral2/files/0x0008000000022dfe-23.dat family_kpot behavioral2/files/0x0008000000022dfe-60.dat family_kpot -
Trickbot x86 loader 5 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/1096-15-0x0000000002280000-0x00000000022A9000-memory.dmp trickbot_loader32 behavioral2/memory/1096-19-0x0000000002280000-0x00000000022A9000-memory.dmp trickbot_loader32 behavioral2/memory/1096-25-0x0000000002280000-0x00000000022A9000-memory.dmp trickbot_loader32 behavioral2/memory/4280-44-0x0000000002FF0000-0x0000000003019000-memory.dmp trickbot_loader32 behavioral2/memory/4280-59-0x0000000002FF0000-0x0000000003019000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 2792 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1096 NEAS.466623ad0a51ad3a78040360a82ec0e0.exe 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 2792 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1096 wrote to memory of 4280 1096 NEAS.466623ad0a51ad3a78040360a82ec0e0.exe 88 PID 1096 wrote to memory of 4280 1096 NEAS.466623ad0a51ad3a78040360a82ec0e0.exe 88 PID 1096 wrote to memory of 4280 1096 NEAS.466623ad0a51ad3a78040360a82ec0e0.exe 88 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 PID 4280 wrote to memory of 3096 4280 NFAS.466623ad0a51ad3a78040360a82ec0e0.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.466623ad0a51ad3a78040360a82ec0e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.466623ad0a51ad3a78040360a82ec0e0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.466623ad0a51ad3a78040360a82ec0e0.exeC:\Users\Admin\AppData\Roaming\WinSocket\NFAS.466623ad0a51ad3a78040360a82ec0e0.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3096
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.466623ad0a51ad3a78040360a82ec0e0.exeC:\Users\Admin\AppData\Roaming\WinSocket\NFAS.466623ad0a51ad3a78040360a82ec0e0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711KB
MD5466623ad0a51ad3a78040360a82ec0e0
SHA1c23b990adc2a023385da2da5945663c6445b30a9
SHA2560b33cc60914d167c86757b0483a329de4b127f970a7ce535ae261d4db21ce683
SHA51290dc18c71d264d341ac7cf8ae15ae06f7e737b06b295fa185e8782161b925ca8cfc3cc872e46c1d04cfa6025f82795e2b6b1422853389f9de4c8884e4647155e
-
Filesize
711KB
MD5466623ad0a51ad3a78040360a82ec0e0
SHA1c23b990adc2a023385da2da5945663c6445b30a9
SHA2560b33cc60914d167c86757b0483a329de4b127f970a7ce535ae261d4db21ce683
SHA51290dc18c71d264d341ac7cf8ae15ae06f7e737b06b295fa185e8782161b925ca8cfc3cc872e46c1d04cfa6025f82795e2b6b1422853389f9de4c8884e4647155e
-
Filesize
711KB
MD5466623ad0a51ad3a78040360a82ec0e0
SHA1c23b990adc2a023385da2da5945663c6445b30a9
SHA2560b33cc60914d167c86757b0483a329de4b127f970a7ce535ae261d4db21ce683
SHA51290dc18c71d264d341ac7cf8ae15ae06f7e737b06b295fa185e8782161b925ca8cfc3cc872e46c1d04cfa6025f82795e2b6b1422853389f9de4c8884e4647155e