Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 19:52
Behavioral task
behavioral1
Sample
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe
Resource
win7-20240221-en
General
-
Target
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe
-
Size
1.2MB
-
MD5
07af45ec7157d54a08c8f6d2406420e0
-
SHA1
ffb328e6c8439ba7f1f42c0329b85ec9067d7b8d
-
SHA256
096c1a47f0ab13fb8e44463b8af44dbee3bca5bdeff41dfa37399f1f9a1f2f71
-
SHA512
49e9d993348b757252dd010efdbe2c6f52396f901119135aa457a3d48723464d24bb589b41705896a43cb8339314ecbec007888f6071d7039415db797a1107c4
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdrz7/w6gZ5VOcMIw+WAQJd:E5aIwC+Agr6S/FWls5qf
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2028-15-0x0000000002BA0000-0x0000000002BC9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exepid process 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exedescription pid process Token: SeTcbPrivilege 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe Token: SeTcbPrivilege 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exepid process 2028 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
07af45ec7157d54a08c8f6d2406420e0_NEAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exe08af46ec8168d64a09c9f7d2407420e0_NFAS.exedescription pid process target process PID 2028 wrote to memory of 984 2028 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 2028 wrote to memory of 984 2028 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 2028 wrote to memory of 984 2028 07af45ec7157d54a08c8f6d2406420e0_NEAS.exe 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 984 wrote to memory of 4044 984 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 112 wrote to memory of 3820 112 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe PID 5108 wrote to memory of 4444 5108 08af46ec8168d64a09c9f7d2407420e0_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07af45ec7157d54a08c8f6d2406420e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\07af45ec7157d54a08c8f6d2406420e0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4044
-
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3820
-
C:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\08af46ec8168d64a09c9f7d2407420e0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD507af45ec7157d54a08c8f6d2406420e0
SHA1ffb328e6c8439ba7f1f42c0329b85ec9067d7b8d
SHA256096c1a47f0ab13fb8e44463b8af44dbee3bca5bdeff41dfa37399f1f9a1f2f71
SHA51249e9d993348b757252dd010efdbe2c6f52396f901119135aa457a3d48723464d24bb589b41705896a43cb8339314ecbec007888f6071d7039415db797a1107c4
-
Filesize
43KB
MD5b4a6ddbed7c56784f5dddc56e7910720
SHA1c254f1f30443fa20f7528b83c54911318ca2224c
SHA256d21756b6e05b27c39468bb33d67b2101cfcb6fafea539ab0d468ba533794ad03
SHA51285745f3f5753c3e79fc0737b919b25bc1d7d3f14f0d6f977fb3b81545e64892c88f8ae348bf31a27129e991fc7d9332e0f5b747ab949f54bfafd6d7ca2c42052