Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 03:36
Behavioral task
behavioral1
Sample
5cfa4b705d88c768400fa4c88396f120_NEAS.exe
Resource
win7-20240221-en
General
-
Target
5cfa4b705d88c768400fa4c88396f120_NEAS.exe
-
Size
1.3MB
-
MD5
5cfa4b705d88c768400fa4c88396f120
-
SHA1
deff2c89ada55dd327743b92f3e764098f8d9dcb
-
SHA256
dbb838e53fb35c86e03a4d1e8fdf200ec6b4d102c7654f1c7dc9514ae61eacbe
-
SHA512
421b54eae382e5b9bff9e4bf32080ce1c8b006d09d5d9bea2842dea8f7bb99b13107a682c0cc38128c383e9cf5f4e36a3888f2a52dea89b6e50abb0e1796ae40
-
SSDEEP
24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0UOSQU:E5aIwC+Agr6twjVDF
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1680-15-0x00000000029C0000-0x00000000029E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exepid process 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exedescription pid process Token: SeTcbPrivilege 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe Token: SeTcbPrivilege 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
5cfa4b705d88c768400fa4c88396f120_NEAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exepid process 1680 5cfa4b705d88c768400fa4c88396f120_NEAS.exe 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5cfa4b705d88c768400fa4c88396f120_NEAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exe6cfa4b806d99c879400fa4c99397f120_NFAS.exedescription pid process target process PID 1680 wrote to memory of 2532 1680 5cfa4b705d88c768400fa4c88396f120_NEAS.exe 6cfa4b806d99c879400fa4c99397f120_NFAS.exe PID 1680 wrote to memory of 2532 1680 5cfa4b705d88c768400fa4c88396f120_NEAS.exe 6cfa4b806d99c879400fa4c99397f120_NFAS.exe PID 1680 wrote to memory of 2532 1680 5cfa4b705d88c768400fa4c88396f120_NEAS.exe 6cfa4b806d99c879400fa4c99397f120_NFAS.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 2532 wrote to memory of 2376 2532 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 1700 wrote to memory of 2436 1700 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe PID 4484 wrote to memory of 1076 4484 6cfa4b806d99c879400fa4c99397f120_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cfa4b705d88c768400fa4c88396f120_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\5cfa4b705d88c768400fa4c88396f120_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2376
-
C:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2436
-
C:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\6cfa4b806d99c879400fa4c99397f120_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55cfa4b705d88c768400fa4c88396f120
SHA1deff2c89ada55dd327743b92f3e764098f8d9dcb
SHA256dbb838e53fb35c86e03a4d1e8fdf200ec6b4d102c7654f1c7dc9514ae61eacbe
SHA512421b54eae382e5b9bff9e4bf32080ce1c8b006d09d5d9bea2842dea8f7bb99b13107a682c0cc38128c383e9cf5f4e36a3888f2a52dea89b6e50abb0e1796ae40
-
Filesize
50KB
MD56a1aec4023141139df0d95e3312527d1
SHA15939fdde85a98fe439b5727e00be7cb8cd4433c8
SHA256f456ae3983b6495896025e897c52685b1f225bdf48444d48831cdda01e7ec836
SHA5121c4300de673857f5fd8eafa38c97858fb6cc722312ef1c4c0067754262c37de51bf9057f8a009d6b29cdbc80799c2b0af58d1ccf0edc8dd40915241fd3a78211