Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07-05-2024 07:18
General
-
Target
8eaff92956b903c6aada9f749dce2360_NEAS.exe
-
Size
1.2MB
-
MD5
8eaff92956b903c6aada9f749dce2360
-
SHA1
f3fe9e15bf29c347880f093ad8cf1d3a6d7b2dea
-
SHA256
5649ac66b6bba881528cfaea834559f33b22485be338b9f9c320e124b9a39fd3
-
SHA512
b406f89291098887b4387c35efd2f1e2cdd4e12f276cef8b3eb24b465fe6d71a5713422155cc4673d150d3630f399f0e7995e90275461a6eed18c63913fd687b
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIwi0rfQ:E5aIwC+Agr6S/FEVpw
Malware Config
Signatures
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eaff92956b903c6aada9f749dce2360_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\8eaff92956b903c6aada9f749dce2360_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\9eaff92967b903c7aada9f849dce2370_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58eaff92956b903c6aada9f749dce2360
SHA1f3fe9e15bf29c347880f093ad8cf1d3a6d7b2dea
SHA2565649ac66b6bba881528cfaea834559f33b22485be338b9f9c320e124b9a39fd3
SHA512b406f89291098887b4387c35efd2f1e2cdd4e12f276cef8b3eb24b465fe6d71a5713422155cc4673d150d3630f399f0e7995e90275461a6eed18c63913fd687b
-
Filesize
15KB
MD54e6603717da6213fcffaa744bff428fb
SHA1ad0519b1cb2659772ef9e80fa46b7f3d33b68167
SHA2563315cbc0658d88218140154d2e3c89cb4671a71838e18d37e11847f3795f3f75
SHA512287ef1972a475f1bf975ddd82454e769c73d2be427ad826d381aabb979823636ef4ce6ba383e991260c27834a6fedbdcfd11d168800085034274a7116bb54ead
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB