Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d2093a12c26ccb442b4f3ff378505640.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.d2093a12c26ccb442b4f3ff378505640.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.d2093a12c26ccb442b4f3ff378505640.exe
-
Size
297KB
-
MD5
d2093a12c26ccb442b4f3ff378505640
-
SHA1
3cb6d0611aeab0de663c6ce393cb4f66cff12807
-
SHA256
152285e43b43e21b5565498c9fd20cefd8a4e0f88077b72786665ff16315b184
-
SHA512
fad41cdcbe12ce2f409cbae48f9991e4983f5348db91404c08650977c1aef5b610013a623a7778b10d2e33470944b137c7e5ded8a7d479fb5d1429eb4e3bd5dd
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26OoN:/pW2IoioS6N
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation NEAS.d2093a12c26ccb442b4f3ff378505640.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe BATCF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe NTPAD %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe NTPAD %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe CMDSF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe VBSSF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe HTMWF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe RTFDF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe NTPAD %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe NTPAD %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe BATCF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d2093a12c26ccb442b4f3ff378505640.exe JPGIF %1" NEAS.d2093a12c26ccb442b4f3ff378505640.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 440 reg.exe 4932 reg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2020 wrote to memory of 440 2020 NEAS.d2093a12c26ccb442b4f3ff378505640.exe 88 PID 2020 wrote to memory of 440 2020 NEAS.d2093a12c26ccb442b4f3ff378505640.exe 88 PID 2020 wrote to memory of 4932 2020 NEAS.d2093a12c26ccb442b4f3ff378505640.exe 89 PID 2020 wrote to memory of 4932 2020 NEAS.d2093a12c26ccb442b4f3ff378505640.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d2093a12c26ccb442b4f3ff378505640.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d2093a12c26ccb442b4f3ff378505640.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:440
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:4932
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD5442f5b69e45bfb3e331a8458d81d74bc
SHA1da2334c9363bb6e8008b58ef259ee29292681a58
SHA25678c2355a06f648748cdcfac837bb408a1c78769ae85a9cd09ec31598f99f7ed8
SHA51268ecd3f4ff993d108b4f0d64a72dbd2e7bc0a40ff15b66ae16dcb5e078207acafb2fa1d79b097b9733c2fb78abdee3290fb4af126660d0f19e8c72e490161d0f