Analysis
-
max time kernel
138s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 02:46
Behavioral task
behavioral1
Sample
53b4a3693af598e83e40f1fac14d8950_NEAS.exe
Resource
win7-20240221-en
General
-
Target
53b4a3693af598e83e40f1fac14d8950_NEAS.exe
-
Size
1013KB
-
MD5
53b4a3693af598e83e40f1fac14d8950
-
SHA1
01574d9f3e3d3e602821c9cc1432b3b0752ee06c
-
SHA256
5e7c6d245a3a0c41f759b46bafbc5cf6ade0744cfc2c4299d3fe0d18201b5f04
-
SHA512
f4843a4e6ec6a6b9bd405d27575e9a47ee3ed3beab5cbfc6e7740a7ed90431da7e10876170ae74243b266d8b0e95000962178d6ff61a6d8237f3d4d9513fc81c
-
SSDEEP
12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEs1HzCHT4TlM9YmJ2Q97v54yRnkQgVf56:zQ5aILMCfmAUjzX6T0TlOnvPyQCf56
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/3480-15-0x0000000002160000-0x0000000002189000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exepid process 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exedescription pid process Token: SeTcbPrivilege 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe Token: SeTcbPrivilege 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
53b4a3693af598e83e40f1fac14d8950_NEAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exepid process 3480 53b4a3693af598e83e40f1fac14d8950_NEAS.exe 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
53b4a3693af598e83e40f1fac14d8950_NEAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exe63b4a3793af699e93e40f1fac14d9960_NFAS.exedescription pid process target process PID 3480 wrote to memory of 4680 3480 53b4a3693af598e83e40f1fac14d8950_NEAS.exe 63b4a3793af699e93e40f1fac14d9960_NFAS.exe PID 3480 wrote to memory of 4680 3480 53b4a3693af598e83e40f1fac14d8950_NEAS.exe 63b4a3793af699e93e40f1fac14d9960_NFAS.exe PID 3480 wrote to memory of 4680 3480 53b4a3693af598e83e40f1fac14d8950_NEAS.exe 63b4a3793af699e93e40f1fac14d9960_NFAS.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4680 wrote to memory of 1744 4680 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 2660 wrote to memory of 3384 2660 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe PID 4180 wrote to memory of 2372 4180 63b4a3793af699e93e40f1fac14d9960_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\53b4a3693af598e83e40f1fac14d8950_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\53b4a3693af598e83e40f1fac14d8950_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1744
-
C:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3384
-
C:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\63b4a3793af699e93e40f1fac14d9960_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1013KB
MD553b4a3693af598e83e40f1fac14d8950
SHA101574d9f3e3d3e602821c9cc1432b3b0752ee06c
SHA2565e7c6d245a3a0c41f759b46bafbc5cf6ade0744cfc2c4299d3fe0d18201b5f04
SHA512f4843a4e6ec6a6b9bd405d27575e9a47ee3ed3beab5cbfc6e7740a7ed90431da7e10876170ae74243b266d8b0e95000962178d6ff61a6d8237f3d4d9513fc81c
-
Filesize
50KB
MD507ab953bcc448636f31d6a20f752547b
SHA1f85381e3f80dd91c66565025f0bb2f65fb010b4e
SHA2562de7f0fe5100f4e95d5fe92183c9736a39665cc6ee59634b631f36cf12048df9
SHA512e601725a1a31e6daedd8cfc5b8e43cf5f8e3447b99da8755bf13c8f97942b28e419cdc8aef56690ad1b88d2f14870342bc454385f91dc98db9a95be8d0c08fba