Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

NEAS.bed67...50.exe

windows7-x64

6

NEAS.bed67...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    166s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.bed672a2ff681d2008c259a539797250.exe

  • Size

    1.6MB

  • MD5

    bed672a2ff681d2008c259a539797250

  • SHA1

    4f225af6ff36b5737079cfe01dea27b523c7f867

  • SHA256

    ff5a0ec4bb1c182979751492b309bde9dd17cebe47f077bb62a9ac0a6584f380

  • SHA512

    241862b53cfac54160c5c65cdf1c9391f7adc93dd8c660c1989410337df6c8d4eef80e5c2fb99972b270e5fcb8a7017be42c2d95f106e7b0349dafb0945dcdc9

  • SSDEEP

    24576:rLILY8Xu/3y8UsG2BgYLicwnkjCHdebUKyZURQ1TgjTH:cYrC8UsGuTw2CHdeQKyZURQ1EjTH

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.bed672a2ff681d2008c259a539797250.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.bed672a2ff681d2008c259a539797250.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEAS.bed672a2ff681d2008c259a539797250.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2702518373.tmp
    Filesize

    1.6MB

    MD5

    bed672a2ff681d2008c259a539797250

    SHA1

    4f225af6ff36b5737079cfe01dea27b523c7f867

    SHA256

    ff5a0ec4bb1c182979751492b309bde9dd17cebe47f077bb62a9ac0a6584f380

    SHA512

    241862b53cfac54160c5c65cdf1c9391f7adc93dd8c660c1989410337df6c8d4eef80e5c2fb99972b270e5fcb8a7017be42c2d95f106e7b0349dafb0945dcdc9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NEAS.bed672a2ff681d2008c259a539797250.doc
    Filesize

    64KB

    MD5

    3be36d7dd77e5b74dcae094cf50133fc

    SHA1

    8a44586e9ee453f2cac0187465a0288ef671a676

    SHA256

    db1bd3e372125886cbe1261c0e1d020565a09ac8f7431091e8b989e056371380

    SHA512

    12f5c3c0f19cdeb1964d8471c07c3cfd3ffe80c9180f5f3011fa8935e355d52f594f285174f3fee135d8267cbdafbc8ef9202bfeb07b4f7431590ab9741e3d86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NEAS.bed672a2ff681d2008c259a539797250.doc
    Filesize

    64KB

    MD5

    3be36d7dd77e5b74dcae094cf50133fc

    SHA1

    8a44586e9ee453f2cac0187465a0288ef671a676

    SHA256

    db1bd3e372125886cbe1261c0e1d020565a09ac8f7431091e8b989e056371380

    SHA512

    12f5c3c0f19cdeb1964d8471c07c3cfd3ffe80c9180f5f3011fa8935e355d52f594f285174f3fee135d8267cbdafbc8ef9202bfeb07b4f7431590ab9741e3d86

    Download Submit

  • memory/2132-36-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-38-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-32-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-33-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-34-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-30-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-37-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-31-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-35-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-39-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-40-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-41-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-42-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2132-43-0x00007FFB435D0000-0x00007FFB435E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-45-0x00007FFB435D0000-0x00007FFB435E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-29-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

    Filesize

    64KB

    Download