Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 20:28
Behavioral task
behavioral1
Sample
0e15cbed89164419c433bffcef31bb20_NEAS.exe
Resource
win7-20231129-en
General
-
Target
0e15cbed89164419c433bffcef31bb20_NEAS.exe
-
Size
1.3MB
-
MD5
0e15cbed89164419c433bffcef31bb20
-
SHA1
fa76410f62d9c8d41bc46772e3c80105465a0007
-
SHA256
e4055f4dc1d1a08c4b82b818b7ee2ca313aae5039356266a8d3ff4ba1182ea40
-
SHA512
c4aad8bcbbf36322daa211942699ab25d60626e3276d3e3c10035ea4668a2420e80e55ddd557ccefa43c21d54d215cc21152864fe1c21fe5e94c9eb6b2495a2a
-
SSDEEP
24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0UOSQkV:E5aIwC+Agr6twjVDdV
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3228-15-0x0000000002AF0000-0x0000000002B19000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exepid process 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exedescription pid process Token: SeTcbPrivilege 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe Token: SeTcbPrivilege 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
0e15cbed89164419c433bffcef31bb20_NEAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exepid process 3228 0e15cbed89164419c433bffcef31bb20_NEAS.exe 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0e15cbed89164419c433bffcef31bb20_NEAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exe0e16cbed99174419c433bffcef31bb20_NFAS.exedescription pid process target process PID 3228 wrote to memory of 5596 3228 0e15cbed89164419c433bffcef31bb20_NEAS.exe 0e16cbed99174419c433bffcef31bb20_NFAS.exe PID 3228 wrote to memory of 5596 3228 0e15cbed89164419c433bffcef31bb20_NEAS.exe 0e16cbed99174419c433bffcef31bb20_NFAS.exe PID 3228 wrote to memory of 5596 3228 0e15cbed89164419c433bffcef31bb20_NEAS.exe 0e16cbed99174419c433bffcef31bb20_NFAS.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 5596 wrote to memory of 2152 5596 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2216 wrote to memory of 3388 2216 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe PID 2128 wrote to memory of 4076 2128 0e16cbed99174419c433bffcef31bb20_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e15cbed89164419c433bffcef31bb20_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\0e15cbed89164419c433bffcef31bb20_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5596 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3388
-
C:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\0e16cbed99174419c433bffcef31bb20_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD50e15cbed89164419c433bffcef31bb20
SHA1fa76410f62d9c8d41bc46772e3c80105465a0007
SHA256e4055f4dc1d1a08c4b82b818b7ee2ca313aae5039356266a8d3ff4ba1182ea40
SHA512c4aad8bcbbf36322daa211942699ab25d60626e3276d3e3c10035ea4668a2420e80e55ddd557ccefa43c21d54d215cc21152864fe1c21fe5e94c9eb6b2495a2a
-
Filesize
55KB
MD5df81cd9811bfa9c0be1045aed4e4fe50
SHA1521c8d861428f5260bd03149120a3acf3a90da49
SHA256d361d81c3c59891823012ed3afffa915a11d77e75b5ba7d86d712c241bb74040
SHA5124d3896f8c9692738ba3feeb4a62fe319b25dad1ae09bf7f7fb7afb78c250c626910d6649cbb3499543aa17fbd5e466848f983ad17c939998abe7e5dfa7848f77