Analysis
-
max time kernel
136s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 05:10
Behavioral task
behavioral1
Sample
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe
Resource
win7-20240215-en
General
-
Target
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe
-
Size
1.3MB
-
MD5
6e4ecf2453ea828d39e23b73e4b23260
-
SHA1
51caee4b0eea1d7ac785095302b2b9c111eb3833
-
SHA256
dbeb39cf194a8bde6d14d80f8db5adc5188472f747e2389807b58377e9d4acbf
-
SHA512
ffcb0d8266d544bafadd4a52b037e6825c0696237249be6bb6a4818be3c0568014143e14720f6b9cbb83897735c2a9b38285207b8c848f212ad7bd106ad0ae25
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIz:E5aIwC+Agr6S/FEVM
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4720-15-0x0000000002200000-0x0000000002229000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exepid process 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exedescription pid process Token: SeTcbPrivilege 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe Token: SeTcbPrivilege 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exepid process 4720 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe7e4ecf2463ea929d39e23b83e4b23270_NFAS.exedescription pid process target process PID 4720 wrote to memory of 4272 4720 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 4720 wrote to memory of 4272 4720 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 4720 wrote to memory of 4272 4720 6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4272 wrote to memory of 2160 4272 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 4600 wrote to memory of 1320 4600 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe PID 5100 wrote to memory of 4792 5100 7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\6e4ecf2453ea828d39e23b73e4b23260_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2160
-
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1320
-
C:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\7e4ecf2463ea929d39e23b83e4b23270_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD56e4ecf2453ea828d39e23b73e4b23260
SHA151caee4b0eea1d7ac785095302b2b9c111eb3833
SHA256dbeb39cf194a8bde6d14d80f8db5adc5188472f747e2389807b58377e9d4acbf
SHA512ffcb0d8266d544bafadd4a52b037e6825c0696237249be6bb6a4818be3c0568014143e14720f6b9cbb83897735c2a9b38285207b8c848f212ad7bd106ad0ae25
-
Filesize
78KB
MD5ee3c80d89459eb45321714f674724c5d
SHA160392a350f79e59b553623ccb5327fdb71c393fc
SHA2562febed9e7a6113a676fbc4bca860dd2db945b5306425d988b36966cd030a0a27
SHA5123e7e715a7a09c54c4477d285817e98d8e244c4b0e5a2b95474744ce2b8d67c9a5ff0e3726c4183ba2e0110363dc538c6792e5737a1fed0ea11f99288046a7400