Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 05:56
Behavioral task
behavioral1
Sample
79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe
Resource
win7-20240221-en
General
-
Target
79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe
-
Size
1.2MB
-
MD5
79f18ca94d967d0816a7b0eceeaba8d0
-
SHA1
59bb1c66df86080789d466843ee379007c0e6b44
-
SHA256
d025eca669224179172e4cebc5ccfb5c1803d596eb707f6d660f85d214d54b4a
-
SHA512
97041c64ba1870dbb4f2250951b9a3b2a636fd7e015bfbd829f41d5ff1a08a9160db72d5f225eb56ead9895394c1adfc7faa7bb36c5f452d394fed5c4733ed34
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOFZ+jJ/1q0GrbcUxnMjb:E5aIwC+Agr6StVEnmcKWnq0vljb
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1056-15-0x0000000003020000-0x0000000003049000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exepid process 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exedescription pid process Token: SeTcbPrivilege 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe Token: SeTcbPrivilege 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exepid process 1056 79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exedescription pid process target process PID 1056 wrote to memory of 3240 1056 79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe PID 1056 wrote to memory of 3240 1056 79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe PID 1056 wrote to memory of 3240 1056 79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 3240 wrote to memory of 2684 3240 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 1984 wrote to memory of 4384 1984 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe PID 2456 wrote to memory of 3552 2456 89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\79f18ca94d967d0816a7b0eceeaba8d0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2684
-
C:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
PID:4384
-
C:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\89f19ca94d978d0917a8b0eceeaba9d0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD579f18ca94d967d0816a7b0eceeaba8d0
SHA159bb1c66df86080789d466843ee379007c0e6b44
SHA256d025eca669224179172e4cebc5ccfb5c1803d596eb707f6d660f85d214d54b4a
SHA51297041c64ba1870dbb4f2250951b9a3b2a636fd7e015bfbd829f41d5ff1a08a9160db72d5f225eb56ead9895394c1adfc7faa7bb36c5f452d394fed5c4733ed34
-
Filesize
19KB
MD52d58d5aff732463ef96847fd3411ba13
SHA1df0edc9850b4f6678f7ad2c2a8644c67798b9306
SHA2569f88b198ef9a913316abad3ce2567d8ccd23a9829e4e85df5c7abbd7a3b9c290
SHA512cfc569d6d4e98295667c6b5c1b98be88702578e2929a94572f39602ed4e836426672acc81833ad9214eeb3192572ca9cc2c66fe481a87b37dd6a19a9068d3805