Malware Analysis Report

2024-10-19 01:05

Sample ID 240506-2gzmashc63
Target 25d2abd51b53bd9608c30f1ab12b8e30_NEAS
SHA256 57b266b933655910e74c8a6bd7fe46e484ae4c3a29d306e97ddef28dfa5c2c35
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57b266b933655910e74c8a6bd7fe46e484ae4c3a29d306e97ddef28dfa5c2c35

Threat Level: Known bad

The file 25d2abd51b53bd9608c30f1ab12b8e30_NEAS was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

Kpot family

KPOT

Trickbot

KPOT Core Executable

Trickbot x86 loader

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 22:33

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 22:33

Reported

2024-05-06 22:36

Platform

win7-20240221-en

Max time kernel

135s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 2620 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2620 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2620 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2620 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 2624 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\system32\taskeng.exe

taskeng.exe {7DA81BE3-05C2-4FC0-B78D-33ACD13CE321} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2972-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2972-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/2972-15-0x0000000000480000-0x00000000004A9000-memory.dmp

memory/2972-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

MD5 25d2abd51b53bd9608c30f1ab12b8e30
SHA1 825653353a4b79479d6b44efc31f15a09f61cd07
SHA256 57b266b933655910e74c8a6bd7fe46e484ae4c3a29d306e97ddef28dfa5c2c35
SHA512 ddcb765d14a1a2994edfcbc407a3b2e6c35d8bccd0e063382bbf1838e6e328a1cae35f9a6de8d58311f07b640f99e51c16f360ada27bb07deb10c27c4552b064

memory/2624-41-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-40-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-46-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2436-49-0x0000000010000000-0x000000001001E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1389HCRPZOQ5Z4M5PS1U.temp

MD5 a815a7c3f4cf7778675f5f5d47ae0182
SHA1 490e49a84b5e13fdb6ab4dd950416a62e7507702
SHA256 d3f35503eb2bd0606becd3331ba7ab6b2aa7b90131f972d0248c269224c92dac
SHA512 9d3d5cfcc4613209321d76727c1f1c27796d063f9d25a5f996b763c893a88dd97527307ecde4d344a7a694e4d1350703480ccefc57cb5fc2d7bc8f31fd20ec16

memory/2436-51-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2624-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2624-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2624-39-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-38-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-37-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-36-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-35-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-34-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-33-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-32-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-31-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2624-30-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2972-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2972-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1872-77-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-76-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-75-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-74-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-73-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-72-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-71-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-70-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-69-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-68-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-67-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1872-66-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1304-94-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1304-93-0x00000000002D0000-0x00000000002D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 22:33

Reported

2024-05-06 22:36

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 1184 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 1184 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 1188 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 404 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe
PID 888 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\25d2abd51b53bd9608c30f1ab12b8e30_NEAS.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 76.107.90.235:449 tcp
US 76.107.90.235:449 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1184-14-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-13-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-12-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-11-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-10-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1184-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1184-15-0x0000000002BC0000-0x0000000002BE9000-memory.dmp

memory/1184-9-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-8-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-7-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-6-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-5-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-4-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-3-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1184-2-0x0000000002280000-0x0000000002281000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\26d2abd61b63bd9709c30f1ab12b9e30_NFAS.exe

MD5 25d2abd51b53bd9608c30f1ab12b8e30
SHA1 825653353a4b79479d6b44efc31f15a09f61cd07
SHA256 57b266b933655910e74c8a6bd7fe46e484ae4c3a29d306e97ddef28dfa5c2c35
SHA512 ddcb765d14a1a2994edfcbc407a3b2e6c35d8bccd0e063382bbf1838e6e328a1cae35f9a6de8d58311f07b640f99e51c16f360ada27bb07deb10c27c4552b064

memory/1188-37-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1188-36-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-35-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-34-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/5092-51-0x0000025D051B0000-0x0000025D051B1000-memory.dmp

memory/5092-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1188-42-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1188-33-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-32-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-31-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-30-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-53-0x00000000031C0000-0x0000000003489000-memory.dmp

memory/1188-52-0x0000000003100000-0x00000000031BE000-memory.dmp

memory/1188-29-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-28-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-27-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1188-26-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/404-58-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-59-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-60-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-61-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-62-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-63-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-64-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-66-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-65-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-67-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-69-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-68-0x0000000001600000-0x0000000001601000-memory.dmp

memory/404-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/404-73-0x0000000000400000-0x0000000000472000-memory.dmp

memory/404-84-0x0000000001BC0000-0x0000000001C7E000-memory.dmp