Analysis
-
max time kernel
135s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 05:10
Behavioral task
behavioral1
Sample
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe
Resource
win7-20240215-en
General
-
Target
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe
-
Size
1.3MB
-
MD5
6e4ecf2453ea828d39e23b73e4b23260
-
SHA1
51caee4b0eea1d7ac785095302b2b9c111eb3833
-
SHA256
dbeb39cf194a8bde6d14d80f8db5adc5188472f747e2389807b58377e9d4acbf
-
SHA512
ffcb0d8266d544bafadd4a52b037e6825c0696237249be6bb6a4818be3c0568014143e14720f6b9cbb83897735c2a9b38285207b8c848f212ad7bd106ad0ae25
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIz:E5aIwC+Agr6S/FEVM
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2416-15-0x0000000000480000-0x00000000004A9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exepid process 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 928 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Loads dropped DLL 2 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exepid process 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2584 sc.exe 2324 sc.exe 2496 sc.exe 2264 sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exepowershell.exepowershell.exepid process 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 2576 powershell.exe 2364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exedescription pid process Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeTcbPrivilege 600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe Token: SeTcbPrivilege 928 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exepid process 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 928 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.execmd.execmd.execmd.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exedescription pid process target process PID 2416 wrote to memory of 1948 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 1948 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 1948 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 1948 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2544 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2544 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2544 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2544 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2012 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2012 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2012 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2012 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe cmd.exe PID 2416 wrote to memory of 2672 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 2416 wrote to memory of 2672 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 2416 wrote to memory of 2672 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 2416 wrote to memory of 2672 2416 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 2012 wrote to memory of 2576 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2576 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2576 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2576 2012 cmd.exe powershell.exe PID 2544 wrote to memory of 2584 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2584 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2584 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2584 2544 cmd.exe sc.exe PID 1948 wrote to memory of 2324 1948 cmd.exe sc.exe PID 1948 wrote to memory of 2324 1948 cmd.exe sc.exe PID 1948 wrote to memory of 2324 1948 cmd.exe sc.exe PID 1948 wrote to memory of 2324 1948 cmd.exe sc.exe PID 2672 wrote to memory of 2616 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2616 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2616 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2616 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2624 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2624 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2624 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2624 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2500 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2500 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2500 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2500 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe cmd.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 2672 wrote to memory of 2456 2672 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2324 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2584 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵PID:2616
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:2264 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵PID:2624
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
PID:2496 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵PID:2500
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2456
-
C:\Windows\system32\taskeng.exetaskeng.exe {76ED1F12-77F4-4F97-BDBA-3B709989B0CD} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1996
-
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:600 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1828
-
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5059487d612fcceaff7df5687d2e42fd1
SHA1fac25ad32838f4cb8db07ceeef1460b9472dc6f3
SHA256c12edc12d726489e77dc35fdc90172f187f6991b2972fd2b91f30852fadee974
SHA5127d4b2015b4deb86f9f0e409e3905ee1c1ad8bac2a4b1686f5a6b4fc8628c691ace8d3b8bdec9f450b93cc3bac7c879509af28a4efbdc0db62ace8bd6e2738a7f
-
Filesize
1.3MB
MD56e4ecf2453ea828d39e23b73e4b23260
SHA151caee4b0eea1d7ac785095302b2b9c111eb3833
SHA256dbeb39cf194a8bde6d14d80f8db5adc5188472f747e2389807b58377e9d4acbf
SHA512ffcb0d8266d544bafadd4a52b037e6825c0696237249be6bb6a4818be3c0568014143e14720f6b9cbb83897735c2a9b38285207b8c848f212ad7bd106ad0ae25