Analysis
-
max time kernel
135s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 15:14
Behavioral task
behavioral1
Sample
c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe
Resource
win7-20240221-en
General
-
Target
c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe
-
Size
1.2MB
-
MD5
c6b1d13e1af4dbe86b0a8d57f28c5850
-
SHA1
6cd2a70a3d4d4a3ef9a3a1aaae5e04d2a0a85498
-
SHA256
ae9be39abd3ca69556a88062e1269e84325e12503e0575348bb3fa905b52ccc1
-
SHA512
c1d29410c2ba497ca38dc0bd8a06bf629d88899bff51d0190a110aaa235453924e7507892c4a4401d7559e2722551ee59d759220ba0812b2ef1f98ee2d34833e
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQE4efQg3zNn+2jsvercPk9N4hVI3/TQyFM:E5aIwC+Agr6SqCPGvTy
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/948-15-0x00000000021E0000-0x0000000002209000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exepid process 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exedescription pid process Token: SeTcbPrivilege 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe Token: SeTcbPrivilege 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exepid process 948 c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exec7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exedescription pid process target process PID 948 wrote to memory of 888 948 c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe PID 948 wrote to memory of 888 948 c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe PID 948 wrote to memory of 888 948 c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 888 wrote to memory of 2524 888 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 1852 wrote to memory of 4908 1852 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe PID 2332 wrote to memory of 4796 2332 c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\c6b1d13e1af4dbe86b0a8d57f28c5850_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2524
-
C:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4908
-
C:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\c7b1d13e1af4dbe97b0a9d68f29c6960_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5c6b1d13e1af4dbe86b0a8d57f28c5850
SHA16cd2a70a3d4d4a3ef9a3a1aaae5e04d2a0a85498
SHA256ae9be39abd3ca69556a88062e1269e84325e12503e0575348bb3fa905b52ccc1
SHA512c1d29410c2ba497ca38dc0bd8a06bf629d88899bff51d0190a110aaa235453924e7507892c4a4401d7559e2722551ee59d759220ba0812b2ef1f98ee2d34833e
-
Filesize
30KB
MD56bb568fcd86e26c9b5e470d89a089339
SHA13519c96795d89a2dfa21bf0b5a01c56965a81496
SHA2569886db325306208cc7967fd77acbf70675051c208af48742a4388176d10a07c0
SHA51224bac16b43c88ccff16aa57984efa4ef01d26d99035e24a17ef6696f5320d3b5dfffebf0281dac20d3be0918f21178488a2136d7009f567e07f44aa8ece5f935