Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    174s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 20:43

General

  • Target

    NEAS.d2093a12c26ccb442b4f3ff378505640.exe

  • Size

    297KB

  • MD5

    d2093a12c26ccb442b4f3ff378505640

  • SHA1

    3cb6d0611aeab0de663c6ce393cb4f66cff12807

  • SHA256

    152285e43b43e21b5565498c9fd20cefd8a4e0f88077b72786665ff16315b184

  • SHA512

    fad41cdcbe12ce2f409cbae48f9991e4983f5348db91404c08650977c1aef5b610013a623a7778b10d2e33470944b137c7e5ded8a7d479fb5d1429eb4e3bd5dd

  • SSDEEP

    6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26OoN:/pW2IoioS6N

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d2093a12c26ccb442b4f3ff378505640.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d2093a12c26ccb442b4f3ff378505640.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:440
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:4932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ak2qP8lmDZ.exe

    Filesize

    297KB

    MD5

    442f5b69e45bfb3e331a8458d81d74bc

    SHA1

    da2334c9363bb6e8008b58ef259ee29292681a58

    SHA256

    78c2355a06f648748cdcfac837bb408a1c78769ae85a9cd09ec31598f99f7ed8

    SHA512

    68ecd3f4ff993d108b4f0d64a72dbd2e7bc0a40ff15b66ae16dcb5e078207acafb2fa1d79b097b9733c2fb78abdee3290fb4af126660d0f19e8c72e490161d0f

  • memory/2020-0-0x000001A52F1B0000-0x000001A52F1D8000-memory.dmp

    Filesize

    160KB

  • memory/2020-1-0x00007FF8DB180000-0x00007FF8DBC41000-memory.dmp

    Filesize

    10.8MB

  • memory/2020-2-0x000001A530D80000-0x000001A530D90000-memory.dmp

    Filesize

    64KB

  • memory/2020-3-0x00007FF8DB180000-0x00007FF8DBC41000-memory.dmp

    Filesize

    10.8MB

  • memory/2020-4-0x000001A530D80000-0x000001A530D90000-memory.dmp

    Filesize

    64KB