Analysis
-
max time kernel
135s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 19:52
Behavioral task
behavioral1
Sample
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe
Resource
win7-20240221-en
General
-
Target
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe
-
Size
1.2MB
-
MD5
07af45ec7157d54a08c8f6d2406420e0
-
SHA1
ffb328e6c8439ba7f1f42c0329b85ec9067d7b8d
-
SHA256
096c1a47f0ab13fb8e44463b8af44dbee3bca5bdeff41dfa37399f1f9a1f2f71
-
SHA512
49e9d993348b757252dd010efdbe2c6f52396f901119135aa457a3d48723464d24bb589b41705896a43cb8339314ecbec007888f6071d7039415db797a1107c4
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdrz7/w6gZ5VOcMIw+WAQJd:E5aIwC+Agr6S/FWls5qf
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/996-15-0x0000000000340000-0x0000000000369000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exepid process 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 2872 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 956 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Loads dropped DLL 2 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.exepid process 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2816 sc.exe 2480 sc.exe 848 sc.exe 2420 sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exepowershell.exepowershell.exepid process 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 2416 powershell.exe 2768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exedescription pid process Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeTcbPrivilege 2872 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe Token: SeTcbPrivilege 956 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exepid process 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 2872 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 956 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.execmd.execmd.execmd.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.execmd.execmd.exedescription pid process target process PID 996 wrote to memory of 2612 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2612 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2612 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2612 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2616 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2616 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2616 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2616 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2548 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2548 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2548 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 2548 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe cmd.exe PID 996 wrote to memory of 3068 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 996 wrote to memory of 3068 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 996 wrote to memory of 3068 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 996 wrote to memory of 3068 996 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 2616 wrote to memory of 2420 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2420 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2420 2616 cmd.exe sc.exe PID 2616 wrote to memory of 2420 2616 cmd.exe sc.exe PID 2548 wrote to memory of 2416 2548 cmd.exe powershell.exe PID 2548 wrote to memory of 2416 2548 cmd.exe powershell.exe PID 2548 wrote to memory of 2416 2548 cmd.exe powershell.exe PID 2548 wrote to memory of 2416 2548 cmd.exe powershell.exe PID 2612 wrote to memory of 848 2612 cmd.exe sc.exe PID 2612 wrote to memory of 848 2612 cmd.exe sc.exe PID 2612 wrote to memory of 848 2612 cmd.exe sc.exe PID 2612 wrote to memory of 848 2612 cmd.exe sc.exe PID 3068 wrote to memory of 2424 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2424 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2424 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2424 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2468 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2468 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2468 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2468 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2944 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2944 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2944 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2944 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe cmd.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 2468 wrote to memory of 2480 2468 cmd.exe sc.exe PID 2468 wrote to memory of 2480 2468 cmd.exe sc.exe PID 2468 wrote to memory of 2480 2468 cmd.exe sc.exe PID 2468 wrote to memory of 2480 2468 cmd.exe sc.exe PID 2944 wrote to memory of 2768 2944 cmd.exe powershell.exe PID 2944 wrote to memory of 2768 2944 cmd.exe powershell.exe PID 2944 wrote to memory of 2768 2944 cmd.exe powershell.exe PID 2944 wrote to memory of 2768 2944 cmd.exe powershell.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 3068 wrote to memory of 2740 3068 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07af45ec7157d54a08c8f6d2406420e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\07af45ec7157d54a08c8f6d2406420e0_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:848 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2420 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵PID:2424
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:2816 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
PID:2480 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2740
-
C:\Windows\system32\taskeng.exetaskeng.exe {08D2D61F-956C-47B0-853C-B5666C57DB44} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2248
-
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2872 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1012
-
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:956 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d84aef93cadb2c90a69752e46a70d6d8
SHA14b9b05c547023a058610d0837d9f9bf823ec7c39
SHA256ee9cd5f716f18de3de64a89452c0058a15ea07c577ca67babf5ed766ea346ef3
SHA5127bb21df24922b4c691634813fe87b3beeb9ffef006e7d2348f2b90f81c8d6de3adaa68fa85357e616ee289e03b2ad58e6dc19621d703911a109a5843d9145237
-
Filesize
1.2MB
MD507af45ec7157d54a08c8f6d2406420e0
SHA1ffb328e6c8439ba7f1f42c0329b85ec9067d7b8d
SHA256096c1a47f0ab13fb8e44463b8af44dbee3bca5bdeff41dfa37399f1f9a1f2f71
SHA51249e9d993348b757252dd010efdbe2c6f52396f901119135aa457a3d48723464d24bb589b41705896a43cb8339314ecbec007888f6071d7039415db797a1107c4