Analysis Overview
SHA256
e1e9e74aecda0a4289de833724a957cc19ae6c6ffcf5a548491991de36aa2b6c
Threat Level: Known bad
The file 44a71764cdc5e937e3d65409bdd318a0_NEAS was found to be: Known bad.
Malicious Activity Summary
KPOT Core Executable
KPOT
Trickbot x86 loader
Trickbot
Kpot family
Stops running service(s)
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Launches sc.exe
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 01:18
Signatures
KPOT Core Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kpot family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 01:18
Reported
2024-05-07 01:21
Platform
win10v2004-20240419-en
Max time kernel
136s
Max time network
129s
Command Line
Signatures
KPOT
KPOT Core Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe"
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4292 -ip 4292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 712
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 24.247.182.240:449 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 24.247.182.240:449 | tcp |
Files
memory/4708-3-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-14-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-13-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-12-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-11-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-10-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-9-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-8-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-7-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-6-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-5-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-4-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-2-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4708-15-0x0000000002190000-0x00000000021B9000-memory.dmp
memory/4708-18-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4708-17-0x0000000000421000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
| MD5 | 44a71764cdc5e937e3d65409bdd318a0 |
| SHA1 | f1405280b3c81d9f2c5ff6dfaafbde8440b757e0 |
| SHA256 | e1e9e74aecda0a4289de833724a957cc19ae6c6ffcf5a548491991de36aa2b6c |
| SHA512 | 834c2323d2dd4cca77d00cad928a38230afc82b44204de0f87ba4fc6cdd491d9f1f23bc4699a741f0017041fa5396b4d74e64e20e2f20b93394de5c541164323 |
memory/4804-37-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-36-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-42-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4752-48-0x0000000010000000-0x000000001001E000-memory.dmp
memory/4752-51-0x00000211E0B10000-0x00000211E0B11000-memory.dmp
memory/4752-46-0x0000000010000000-0x000000001001E000-memory.dmp
memory/4804-41-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4804-40-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4804-35-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-34-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-33-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-52-0x0000000003060000-0x000000000311E000-memory.dmp
memory/4804-32-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-53-0x0000000003160000-0x0000000003429000-memory.dmp
memory/4804-31-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-30-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-29-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-28-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-27-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4804-26-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4292-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4292-72-0x0000000000421000-0x0000000000422000-memory.dmp
memory/4292-73-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
| MD5 | 568a4d73fd73e360ee8e18b52a7f2c7f |
| SHA1 | ec7ef2e4e89acee15b95e63d91584e46c66c11d3 |
| SHA256 | 0bae05a24f36abf2291a24832f08c74cd2aea2dd2975e4b1aa8195bb09db2032 |
| SHA512 | f1f27a375bb1e6b640c6d470924d9e8ea0b7a5532e94fbb19923742f9cfdbcff79c2f9799428c9977da0d75ee4b2dda4e19a0566d344c461132cae89702ad64a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 01:18
Reported
2024-05-07 01:21
Platform
win7-20240419-en
Max time kernel
135s
Max time network
119s
Command Line
Signatures
KPOT
KPOT Core Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\44a71764cdc5e937e3d65409bdd318a0_NEAS.exe"
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\taskeng.exe
taskeng.exe {D78CF5BF-9ABC-48EE-AD65-61E650AF1CAB} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/2188-7-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-6-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-5-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-4-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-3-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-2-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-9-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-8-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-10-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-12-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-11-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-14-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-13-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2188-15-0x0000000000630000-0x0000000000659000-memory.dmp
memory/2188-18-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2188-17-0x0000000000421000-0x0000000000422000-memory.dmp
\Users\Admin\AppData\Roaming\WinSocket\44a81874cdc6e938e3d76409bdd319a0_NFAS.exe
| MD5 | 44a71764cdc5e937e3d65409bdd318a0 |
| SHA1 | f1405280b3c81d9f2c5ff6dfaafbde8440b757e0 |
| SHA256 | e1e9e74aecda0a4289de833724a957cc19ae6c6ffcf5a548491991de36aa2b6c |
| SHA512 | 834c2323d2dd4cca77d00cad928a38230afc82b44204de0f87ba4fc6cdd491d9f1f23bc4699a741f0017041fa5396b4d74e64e20e2f20b93394de5c541164323 |
memory/2680-41-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-44-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2680-40-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-45-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2536-55-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2536-51-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2536-50-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2680-39-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-38-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-37-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-36-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-35-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-34-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-33-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-32-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-31-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2680-30-0x0000000000280000-0x0000000000281000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | fe83f72208f3e9cbc188df9299740739 |
| SHA1 | 75d78af2303087cf2a3ae5e4e2b5f0daf83f6349 |
| SHA256 | 5288b049dc1d275f532cf8ab71e3fbad661070af4701c51f8c8e99d4af94e0e0 |
| SHA512 | 1940ceea94be6faca2dfb3671c4862a7ca591108cf251ae4d5fe082b65b99bb45ab21bc44a8b50b51bdb4e306ff37ab8c1786f69e1259a1b4d4ed933deb3e290 |
memory/1232-70-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-71-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-69-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-68-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-73-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-74-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-72-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-76-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-77-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-75-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-79-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-78-0x0000000000260000-0x0000000000261000-memory.dmp