Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 09:11
Behavioral task
behavioral1
Sample
3e31e01cdd290955878f90964f7f0f90_NEIKI.exe
Resource
win7-20240221-en
General
-
Target
3e31e01cdd290955878f90964f7f0f90_NEIKI.exe
-
Size
1.2MB
-
MD5
3e31e01cdd290955878f90964f7f0f90
-
SHA1
8acab48cbe67a9a2c45e5d72a97fbb48c6ea4363
-
SHA256
5a2cc88fa36f304586f3f6e81dba9beb0a9f5550fa8cb251a7d0bda34daeb72d
-
SHA512
a9f3f0b325ead4f6e0b79183a55ddc6917c8295d9e4e5f2ee97f80a887c62ffe5f3a771b2a00b176645119242f816dd8365e664a53efe4fd1f95ee29e1a511f0
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSJ:E5aIwC+Agr6g81p1vsrNiJ
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4156-15-0x0000000002170000-0x0000000002199000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exepid process 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exedescription pid process Token: SeTcbPrivilege 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe Token: SeTcbPrivilege 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3e31e01cdd290955878f90964f7f0f90_NEIKI.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exepid process 4156 3e31e01cdd290955878f90964f7f0f90_NEIKI.exe 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3e31e01cdd290955878f90964f7f0f90_NEIKI.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe3e31e01cdd290966989f90974f8f0f90_NFJLJ.exedescription pid process target process PID 4156 wrote to memory of 4880 4156 3e31e01cdd290955878f90964f7f0f90_NEIKI.exe 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe PID 4156 wrote to memory of 4880 4156 3e31e01cdd290955878f90964f7f0f90_NEIKI.exe 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe PID 4156 wrote to memory of 4880 4156 3e31e01cdd290955878f90964f7f0f90_NEIKI.exe 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4880 wrote to memory of 2376 4880 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 2244 wrote to memory of 4408 2244 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe PID 4200 wrote to memory of 1404 4200 3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e31e01cdd290955878f90964f7f0f90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3e31e01cdd290955878f90964f7f0f90_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2376
-
C:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4408
-
C:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\3e31e01cdd290966989f90974f8f0f90_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53e31e01cdd290955878f90964f7f0f90
SHA18acab48cbe67a9a2c45e5d72a97fbb48c6ea4363
SHA2565a2cc88fa36f304586f3f6e81dba9beb0a9f5550fa8cb251a7d0bda34daeb72d
SHA512a9f3f0b325ead4f6e0b79183a55ddc6917c8295d9e4e5f2ee97f80a887c62ffe5f3a771b2a00b176645119242f816dd8365e664a53efe4fd1f95ee29e1a511f0
-
Filesize
43KB
MD50590b59c79990f0d4e983fa970ccb739
SHA101ae2bec4a0e459e3bd3bcc8be38291a9e221eae
SHA256f68899ec0e8e37601725b3cfd756e1386c7a92f9f730f09424b41e8138339e22
SHA51219d6666b70e5e58da059d461185768be40f5c4199225f25764ce1958e4f8e7cd43f17dc64ef045075cf32b4b24444c1bc437e11fa3c1510cbb87be007331df19