Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 17:14
Behavioral task
behavioral1
Sample
e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe
Resource
win7-20240419-en
General
-
Target
e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe
-
Size
931KB
-
MD5
e9181259ebe70547cda0fb5cbee9d3c0
-
SHA1
665918652df82d7508bdb84975c46678c86aad9c
-
SHA256
b0947a84762157bd5413e4f46c30f736672cc28a59720cb8bb2e6aa4dbf45726
-
SHA512
f06bdf9a3c340c4a78c2be4df696aef59b14d56c1d05c04a9ddbe1b2f6cb7d0a44087024701303b8abcf43234f0c10731f5389afedcdffbbcbb63b056f1375a4
-
SSDEEP
12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQNhW4Lq90jg:zQ5aILMCfmAUjzX6xQtjmsNLU3
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1384-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exepid process 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exedescription pid process Token: SeTcbPrivilege 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe Token: SeTcbPrivilege 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exepid process 1384 e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exee9191269ebe80648cda0fb6cbee9d3c0_NFAS.exedescription pid process target process PID 1384 wrote to memory of 2960 1384 e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe PID 1384 wrote to memory of 2960 1384 e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe PID 1384 wrote to memory of 2960 1384 e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 2960 wrote to memory of 4620 2960 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 3556 wrote to memory of 2040 3556 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe PID 968 wrote to memory of 4604 968 e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\e9181259ebe70547cda0fb5cbee9d3c0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4620
-
C:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2040
-
C:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exeC:\Users\Admin\AppData\Roaming\WinSocket\e9191269ebe80648cda0fb6cbee9d3c0_NFAS.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
931KB
MD5e9181259ebe70547cda0fb5cbee9d3c0
SHA1665918652df82d7508bdb84975c46678c86aad9c
SHA256b0947a84762157bd5413e4f46c30f736672cc28a59720cb8bb2e6aa4dbf45726
SHA512f06bdf9a3c340c4a78c2be4df696aef59b14d56c1d05c04a9ddbe1b2f6cb7d0a44087024701303b8abcf43234f0c10731f5389afedcdffbbcbb63b056f1375a4
-
Filesize
18KB
MD555c8b174f836d44ff4bed01607f1aafb
SHA1d6639163649fd0a8a5180d10d9ed40a070252312
SHA256a2923f08171c461094b1e63203815205504793630551e43bf6642762b886c152
SHA512653eb08835b4fc75b9254c8583463ee88538fd98000dd99308185366e13c13251cf5093dc0631e507199bb8337ed88bbfe91bf6576b9c79b71f9d4d682f4787e