Malware Analysis Report

2024-10-19 01:05

Sample ID 240507-ekkwzsha3v
Target 614bf24801b45e4471544ea4abd51d00_NEAS
SHA256 b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b

Threat Level: Known bad

The file 614bf24801b45e4471544ea4abd51d00_NEAS was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

Kpot family

Trickbot

KPOT Core Executable

KPOT

Trickbot x86 loader

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 03:59

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 03:59

Reported

2024-05-07 04:02

Platform

win7-20240221-en

Max time kernel

136s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 2392 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2392 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2392 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2392 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1008 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2736 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2736 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2736 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2736 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 2948 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\system32\taskeng.exe

taskeng.exe {6C1472E7-55F3-42CD-8046-885ACBA5E28E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2148-2-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-5-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-12-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-13-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2148-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/2148-15-0x00000000003D0000-0x00000000003F9000-memory.dmp

memory/2148-18-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

MD5 614bf24801b45e4471544ea4abd51d00
SHA1 3b88a131c3133294dfcaa53ce90f50121e0baf72
SHA256 b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b
SHA512 bec241b88d95d0b74fd5d823cac9f2df83b4c7bc482475c3dcb7b33b8516751edfccf384bede898b86f3cee4ef38c60caa0b1da8467e8f604e9e703afb63da18

memory/2948-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2948-32-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-41-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-40-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-39-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-38-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-37-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-36-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-34-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2568-50-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2568-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2948-46-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2948-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2948-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-31-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2948-30-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 aa78f953e5c88b2bae4916eec370606d
SHA1 9b80fdb186d5e6cbab49c4ee6bb35e0d79960a5d
SHA256 cd074fada4981a45fe44c36b9b791687cd6e8515ebfce84446a8141ac655949e
SHA512 818541c4b41445f214df8fd764ec60c8410400bdb5994288394f2f15bc440b1f2c3d63d2b69b0a2223eae0e0fd1414d7d77d213ee38bbba7d6208d02818098f4

memory/888-77-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-76-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-75-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-74-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-72-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-69-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-68-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/888-66-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1840-94-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1840-93-0x0000000000500000-0x0000000000501000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 03:59

Reported

2024-05-07 04:02

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 1360 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 1360 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 1652 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 892 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe
PID 796 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
BR 187.19.17.132:449 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BR 187.19.17.132:449 tcp

Files

memory/1360-4-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-14-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1360-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1360-15-0x0000000002AF0000-0x0000000002B19000-memory.dmp

memory/1360-13-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-12-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-11-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-10-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-9-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-8-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-7-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-6-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-5-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-3-0x0000000002150000-0x0000000002151000-memory.dmp

memory/1360-2-0x0000000002150000-0x0000000002151000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

MD5 614bf24801b45e4471544ea4abd51d00
SHA1 3b88a131c3133294dfcaa53ce90f50121e0baf72
SHA256 b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b
SHA512 bec241b88d95d0b74fd5d823cac9f2df83b4c7bc482475c3dcb7b33b8516751edfccf384bede898b86f3cee4ef38c60caa0b1da8467e8f604e9e703afb63da18

memory/1652-36-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-37-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-35-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-34-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-30-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1652-27-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-26-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-33-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-32-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1652-31-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1652-28-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/3748-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/3748-51-0x0000020BF2D50000-0x0000020BF2D51000-memory.dmp

memory/1652-52-0x0000000003060000-0x000000000311E000-memory.dmp

memory/1652-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/892-58-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-60-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-62-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-63-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-65-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-69-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-68-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-67-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-66-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-64-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-61-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-59-0x0000000000640000-0x0000000000641000-memory.dmp

memory/892-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/892-73-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 9adc01e18ed79e9872eb0b6f7ada00e1
SHA1 0bc8ab77c60b599805e1e1a5c9cad57d434c3e4c
SHA256 fa2c601c8d8d0ae03dce073869436e1680989df33154201d5680a2b9152e1c51
SHA512 4ee567c5a528b907bd2f84b283c12095d4803789d1431e7c3ade14aba96b0f745eab42274bbb7e117d506cdb4168b70ec2f72a67c323e9561ce3291360a0003b