Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 23:09
Behavioral task
behavioral1
Sample
2d6b22ddd824668bf44557810eee2ef0_NEAS.exe
Resource
win7-20231129-en
General
-
Target
2d6b22ddd824668bf44557810eee2ef0_NEAS.exe
-
Size
1.2MB
-
MD5
2d6b22ddd824668bf44557810eee2ef0
-
SHA1
554588aa2bb768ceaa722fc121f7a06369ff10d4
-
SHA256
40789cd8a229a28e6630a9175fee3054e35d403655acffd2c78a1551f0710ce7
-
SHA512
5ba5f31fa6eed59afacfb143a4ed23d5d32aa25f3b74bb42b735e6e82b370168a60855ce45e9c01c27908a89885c35f67d1625d8fb6fc6e1f141feef164644af
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIwT:E5aIwC+Agr6S/FEVB
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4764-15-0x0000000002280000-0x00000000022A9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exepid process 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exedescription pid process Token: SeTcbPrivilege 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe Token: SeTcbPrivilege 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2d6b22ddd824668bf44557810eee2ef0_NEAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exepid process 4764 2d6b22ddd824668bf44557810eee2ef0_NEAS.exe 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d6b22ddd824668bf44557810eee2ef0_NEAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2d7b22ddd924779bf44668910eee2ef0_NFAS.exedescription pid process target process PID 4764 wrote to memory of 3024 4764 2d6b22ddd824668bf44557810eee2ef0_NEAS.exe 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe PID 4764 wrote to memory of 3024 4764 2d6b22ddd824668bf44557810eee2ef0_NEAS.exe 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe PID 4764 wrote to memory of 3024 4764 2d6b22ddd824668bf44557810eee2ef0_NEAS.exe 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 3024 wrote to memory of 3280 3024 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 2044 wrote to memory of 392 2044 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe PID 4748 wrote to memory of 3804 4748 2d7b22ddd924779bf44668910eee2ef0_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d6b22ddd824668bf44557810eee2ef0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\2d6b22ddd824668bf44557810eee2ef0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3280
-
C:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:392
-
C:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\2d7b22ddd924779bf44668910eee2ef0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52d6b22ddd824668bf44557810eee2ef0
SHA1554588aa2bb768ceaa722fc121f7a06369ff10d4
SHA25640789cd8a229a28e6630a9175fee3054e35d403655acffd2c78a1551f0710ce7
SHA5125ba5f31fa6eed59afacfb143a4ed23d5d32aa25f3b74bb42b735e6e82b370168a60855ce45e9c01c27908a89885c35f67d1625d8fb6fc6e1f141feef164644af
-
Filesize
25KB
MD504644379ce0dc6b4d3a3d560c1d5d8ee
SHA14f7865352ce4e1fa26f66a2bff8cf7bba382712b
SHA25655efc84708d57bf0f52e9a46c7c6903ad669628ca60c277c1be28cd7a23be6aa
SHA512ea5541aa297568d077a33b8b371bd7ef5d21efddf497b0bee2f37bbe214c676d5494ceab99eac045e81d999c988f1f61e342e4c31a2edb90eb4cf1b9e506d2a9