Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 23:33
Behavioral task
behavioral1
Sample
67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe
Resource
win7-20240220-en
General
-
Target
67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe
-
Size
1.1MB
-
MD5
67866bb931fa9541c9235f44f2ac9dc0
-
SHA1
635efe539dd95bdd294b22c239b5b0e92f9fbf2f
-
SHA256
7f7cccb99834f6440098a0b5c984c11e7cfd668ce76025cb30c9542d8a35b089
-
SHA512
7179066c7a52062e616523d1c734f6f0ca8e26bfcb423ed06eb2f6a3cb84a91374afd829735ecf1751f4d92a0cce9dea0c39913d7edf02997ba8e44bb7188818
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZcnDPG02Q:E5aIwC+Agr6S/FFC+LG02Q
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4744-15-0x0000000002290000-0x00000000022B9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exepid process 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exedescription pid process Token: SeTcbPrivilege 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe Token: SeTcbPrivilege 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exepid process 4744 67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exedescription pid process target process PID 4744 wrote to memory of 4864 4744 67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe PID 4744 wrote to memory of 4864 4744 67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe PID 4744 wrote to memory of 4864 4744 67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4864 wrote to memory of 4164 4864 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 4492 wrote to memory of 2092 4492 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe PID 916 wrote to memory of 3968 916 78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\67866bb931fa9541c9235f44f2ac9dc0_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4164
-
C:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2092
-
C:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\78977bb931fa9641c9236f44f2ac9dc0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD567866bb931fa9541c9235f44f2ac9dc0
SHA1635efe539dd95bdd294b22c239b5b0e92f9fbf2f
SHA2567f7cccb99834f6440098a0b5c984c11e7cfd668ce76025cb30c9542d8a35b089
SHA5127179066c7a52062e616523d1c734f6f0ca8e26bfcb423ed06eb2f6a3cb84a91374afd829735ecf1751f4d92a0cce9dea0c39913d7edf02997ba8e44bb7188818
-
Filesize
14KB
MD52cb715afb11290ba3df7b0aecaaf3868
SHA1e1b01b3fdaa5872ba149dfa861c960e612483098
SHA2563d7b69b66f4dc92623e1a5e00ac9abeacfc36bbc881d2aa951b8b0218c8f9ebc
SHA51299bb584b9cb66fdecea84cb48c15da79628e9eb01ae4bce5eda24005a1a392df3e0c841976a56a6ed026efb869731fabd0709e9a87668eb69961125ff50afe46