Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:03
Behavioral task
behavioral1
Sample
NEAS.28b06fccca93cac6018b31f3842c31f0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.28b06fccca93cac6018b31f3842c31f0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.28b06fccca93cac6018b31f3842c31f0.exe
-
Size
88KB
-
MD5
28b06fccca93cac6018b31f3842c31f0
-
SHA1
9dd49ea04c383f3adef773a18f59a7025b9248cf
-
SHA256
e2a91b70af3d16550ca56fb68f1e9c4095773a9f5a07ff754a2f0ebb182fe7d8
-
SHA512
58fd5b188f65dbb2b19b20890a894edb348126671642576a7f3336d28ce3c60cca7855f147b933f62190facffc9a0f75f5e2127f6b43c5a0994a96bc1332df92
-
SSDEEP
1536:HKiJCGGi39mF3OpIfEabJdvOW8h+ZrNr8lvuvmqd4FOejogFPGa/ip5yp:HKHi39E5Eash2mlhBOejooPGa/ocp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2716 prints.exe -
Loads dropped DLL 2 IoCs
pid Process 2716 prints.exe 2716 prints.exe -
resource yara_rule behavioral2/memory/2848-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0006000000023086-11.dat upx behavioral2/files/0x0006000000023086-12.dat upx behavioral2/memory/2848-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2716-20-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSysQQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\prints.exe" prints.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe 2716 prints.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2716 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 86 PID 2848 wrote to memory of 2716 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 86 PID 2848 wrote to memory of 2716 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 86 PID 2848 wrote to memory of 1464 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 88 PID 2848 wrote to memory of 1464 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 88 PID 2848 wrote to memory of 1464 2848 NEAS.28b06fccca93cac6018b31f3842c31f0.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.28b06fccca93cac6018b31f3842c31f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.28b06fccca93cac6018b31f3842c31f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\prints.exeC:\Users\Admin\AppData\Local\Temp\prints.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Deleteme.bat2⤵PID:1464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194B
MD573ce26fbe56b8ba482fa28645c52ce40
SHA1a035d428bb4cb6f630b7089a2bec8323ddbefde5
SHA256850bfcc65a371971152aff638988dbc533070d06dfc43399847dbfb7fa1e9726
SHA5129488d10158a0788a3459178e26a2dcbee2330db994da2d755d125346e1c83b5ff7889a4302462121391714cf84fdcff26f55652141f38cec2bda3a1830a138ef
-
Filesize
100KB
MD52a65cea9b055ce4ed42edbd4e356a1d4
SHA150be987e1b846385c00ae77dc6f8a1b30070fa50
SHA2563e8eb17dd4f927991307eeecfcd01c2fb16383c25e282b0e39faf4f2460d4503
SHA512e73578073bcaff87927aa0c20bf062c3afa20a70488934b3945b8b80d50cfba34e486d5e9cee92acd7c66d86aa123a0489e1bba22815b8ecdd1250a1bd5b6682
-
Filesize
100KB
MD52a65cea9b055ce4ed42edbd4e356a1d4
SHA150be987e1b846385c00ae77dc6f8a1b30070fa50
SHA2563e8eb17dd4f927991307eeecfcd01c2fb16383c25e282b0e39faf4f2460d4503
SHA512e73578073bcaff87927aa0c20bf062c3afa20a70488934b3945b8b80d50cfba34e486d5e9cee92acd7c66d86aa123a0489e1bba22815b8ecdd1250a1bd5b6682
-
Filesize
100KB
MD52a65cea9b055ce4ed42edbd4e356a1d4
SHA150be987e1b846385c00ae77dc6f8a1b30070fa50
SHA2563e8eb17dd4f927991307eeecfcd01c2fb16383c25e282b0e39faf4f2460d4503
SHA512e73578073bcaff87927aa0c20bf062c3afa20a70488934b3945b8b80d50cfba34e486d5e9cee92acd7c66d86aa123a0489e1bba22815b8ecdd1250a1bd5b6682
-
Filesize
88KB
MD528b06fccca93cac6018b31f3842c31f0
SHA19dd49ea04c383f3adef773a18f59a7025b9248cf
SHA256e2a91b70af3d16550ca56fb68f1e9c4095773a9f5a07ff754a2f0ebb182fe7d8
SHA51258fd5b188f65dbb2b19b20890a894edb348126671642576a7f3336d28ce3c60cca7855f147b933f62190facffc9a0f75f5e2127f6b43c5a0994a96bc1332df92
-
Filesize
88KB
MD528b06fccca93cac6018b31f3842c31f0
SHA19dd49ea04c383f3adef773a18f59a7025b9248cf
SHA256e2a91b70af3d16550ca56fb68f1e9c4095773a9f5a07ff754a2f0ebb182fe7d8
SHA51258fd5b188f65dbb2b19b20890a894edb348126671642576a7f3336d28ce3c60cca7855f147b933f62190facffc9a0f75f5e2127f6b43c5a0994a96bc1332df92