Analysis
-
max time kernel
136s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 04:05
Behavioral task
behavioral1
Sample
6230e43c317b045d422a295ff11b7880_NEAS.exe
Resource
win7-20240221-en
General
-
Target
6230e43c317b045d422a295ff11b7880_NEAS.exe
-
Size
1.2MB
-
MD5
6230e43c317b045d422a295ff11b7880
-
SHA1
b8f1d9ec144d6f8bf863c5579f91a448aa6490a5
-
SHA256
a927ff380427b679ea8da095ae04b00361c408ccd597c6f804f80777cd7263b5
-
SHA512
f34e44c2497a3226f7f70546d51d731280d241f2b614eef9f4d4a0620864e6b169a7b2c53668965441c52d35a2aed84dd431dfe73f1a11b01f428df3fca2a152
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOxA5zYlo1c51WncC+:E5aIwC+Agr6StVEnmcKxY/O1HC+
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2508-15-0x0000000001BD0000-0x0000000001BF9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
7230e43c318b046d422a296ff11b8990_NFAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exepid process 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe 2044 7230e43c318b046d422a296ff11b8990_NFAS.exe -
Loads dropped DLL 2 IoCs
Processes:
6230e43c317b045d422a295ff11b7880_NEAS.exepid process 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2576 sc.exe 2664 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6230e43c317b045d422a295ff11b7880_NEAS.exepowershell.exepid process 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 2628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exe7230e43c318b046d422a296ff11b8990_NFAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exedescription pid process Token: SeDebugPrivilege 2628 powershell.exe Token: SeTcbPrivilege 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe Token: SeTcbPrivilege 2044 7230e43c318b046d422a296ff11b8990_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6230e43c317b045d422a295ff11b7880_NEAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exe7230e43c318b046d422a296ff11b8990_NFAS.exepid process 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe 2044 7230e43c318b046d422a296ff11b8990_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6230e43c317b045d422a295ff11b7880_NEAS.execmd.execmd.execmd.exe7230e43c318b046d422a296ff11b8990_NFAS.exetaskeng.exe7230e43c318b046d422a296ff11b8990_NFAS.exedescription pid process target process PID 2508 wrote to memory of 2372 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2372 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2372 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2372 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2612 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2612 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2612 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2612 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2084 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2084 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2084 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2084 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe cmd.exe PID 2508 wrote to memory of 2780 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2508 wrote to memory of 2780 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2508 wrote to memory of 2780 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2508 wrote to memory of 2780 2508 6230e43c317b045d422a295ff11b7880_NEAS.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2084 wrote to memory of 2628 2084 cmd.exe powershell.exe PID 2084 wrote to memory of 2628 2084 cmd.exe powershell.exe PID 2084 wrote to memory of 2628 2084 cmd.exe powershell.exe PID 2084 wrote to memory of 2628 2084 cmd.exe powershell.exe PID 2612 wrote to memory of 2576 2612 cmd.exe sc.exe PID 2612 wrote to memory of 2576 2612 cmd.exe sc.exe PID 2612 wrote to memory of 2576 2612 cmd.exe sc.exe PID 2612 wrote to memory of 2576 2612 cmd.exe sc.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2780 wrote to memory of 2596 2780 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 2032 wrote to memory of 1440 2032 taskeng.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2032 wrote to memory of 1440 2032 taskeng.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2032 wrote to memory of 1440 2032 taskeng.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 2032 wrote to memory of 1440 2032 taskeng.exe 7230e43c318b046d422a296ff11b8990_NFAS.exe PID 1440 wrote to memory of 1896 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 1440 wrote to memory of 1896 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 1440 wrote to memory of 1896 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe PID 1440 wrote to memory of 1896 1440 7230e43c318b046d422a296ff11b8990_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6230e43c317b045d422a295ff11b7880_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\6230e43c317b045d422a295ff11b7880_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2664 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2576 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2596
-
C:\Windows\system32\taskeng.exetaskeng.exe {3019CD11-85CD-4B51-9D84-EF8F03D879EE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1896
-
C:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7230e43c318b046d422a296ff11b8990_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56230e43c317b045d422a295ff11b7880
SHA1b8f1d9ec144d6f8bf863c5579f91a448aa6490a5
SHA256a927ff380427b679ea8da095ae04b00361c408ccd597c6f804f80777cd7263b5
SHA512f34e44c2497a3226f7f70546d51d731280d241f2b614eef9f4d4a0620864e6b169a7b2c53668965441c52d35a2aed84dd431dfe73f1a11b01f428df3fca2a152