Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe
-
Size
135KB
-
MD5
ed468555b5eb89c1aaae13a81e8ddfa0
-
SHA1
fb07e2da5b9a747c41f88663643f9dfab040b9b2
-
SHA256
486685122c026db0fc3fd7ed53b2ced2909123c2aec2d015e4db9d15a39a8c9f
-
SHA512
9e13ce00793703394d6e74b27ea2b7f337b8b3140008e4be2955872aabe279f6605a24cbe39bc192600c0372d072a3889460723e8a1cd9c1ac2800f5263456f0
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVDK3:UVqoCl/YgjxEufVU0TbTyDDal5K3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2372 explorer.exe 2004 spoolsv.exe 1552 svchost.exe 5024 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe 2372 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2372 explorer.exe 1552 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 2372 explorer.exe 2372 explorer.exe 2004 spoolsv.exe 2004 spoolsv.exe 1552 svchost.exe 1552 svchost.exe 5024 spoolsv.exe 5024 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5044 wrote to memory of 2372 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 87 PID 5044 wrote to memory of 2372 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 87 PID 5044 wrote to memory of 2372 5044 NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe 87 PID 2372 wrote to memory of 2004 2372 explorer.exe 88 PID 2372 wrote to memory of 2004 2372 explorer.exe 88 PID 2372 wrote to memory of 2004 2372 explorer.exe 88 PID 2004 wrote to memory of 1552 2004 spoolsv.exe 89 PID 2004 wrote to memory of 1552 2004 spoolsv.exe 89 PID 2004 wrote to memory of 1552 2004 spoolsv.exe 89 PID 1552 wrote to memory of 5024 1552 svchost.exe 90 PID 1552 wrote to memory of 5024 1552 svchost.exe 90 PID 1552 wrote to memory of 5024 1552 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ed468555b5eb89c1aaae13a81e8ddfa0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5009c17e68955d8b60d80c573476edf28
SHA1e14dcf077af6827d6c4364c1694c08ce9558fc93
SHA256e262faccc9aa03b9587d5a6d0a8479e6eddcb6467d299440357800e0fb99abcc
SHA512187816ea816f73fab22e51a36c2ffc324d955d54467c40e92455f94ddb12a368fa86225f0351a81b2413826d3f33eb8b69fba7afe1d8dc4efe335180e45480b7
-
Filesize
135KB
MD5266e38e10176f4fdac26209f773f861c
SHA110ab45e3365693a83c7c5acd49d83ac48b5c4c29
SHA256b27b203c0f96376380ce98dd5e207c258a875af64c7a0db1866d324fc1e8645b
SHA5125b68b53cfb0cf9205e5f56670b1e141b307015656eaabedea6024b320649a57309381de679ee86cb1a8f6ed552aa16a54ce26403d46cf390e808eb002f63d6f8
-
Filesize
135KB
MD5266e38e10176f4fdac26209f773f861c
SHA110ab45e3365693a83c7c5acd49d83ac48b5c4c29
SHA256b27b203c0f96376380ce98dd5e207c258a875af64c7a0db1866d324fc1e8645b
SHA5125b68b53cfb0cf9205e5f56670b1e141b307015656eaabedea6024b320649a57309381de679ee86cb1a8f6ed552aa16a54ce26403d46cf390e808eb002f63d6f8
-
Filesize
135KB
MD5266e38e10176f4fdac26209f773f861c
SHA110ab45e3365693a83c7c5acd49d83ac48b5c4c29
SHA256b27b203c0f96376380ce98dd5e207c258a875af64c7a0db1866d324fc1e8645b
SHA5125b68b53cfb0cf9205e5f56670b1e141b307015656eaabedea6024b320649a57309381de679ee86cb1a8f6ed552aa16a54ce26403d46cf390e808eb002f63d6f8
-
Filesize
135KB
MD57544e39cc8bbdc9bba98daacf5fb5aa8
SHA1f665f8ef7775d8c1cc489da076baaf0c440d2106
SHA256696a5376029d6a0d8972db3ee0d79169c32f8a004195fff16c1f8dd9dec9445a
SHA51241a1f6c287ef38557782930d992cc6c7a3dc731992515476fb7ee5dda5126e8d32c8d758d6b3d84f755a7975af08b50b5f67b656b6bc4be8aeb908ec9210bf5f
-
Filesize
135KB
MD5266e38e10176f4fdac26209f773f861c
SHA110ab45e3365693a83c7c5acd49d83ac48b5c4c29
SHA256b27b203c0f96376380ce98dd5e207c258a875af64c7a0db1866d324fc1e8645b
SHA5125b68b53cfb0cf9205e5f56670b1e141b307015656eaabedea6024b320649a57309381de679ee86cb1a8f6ed552aa16a54ce26403d46cf390e808eb002f63d6f8
-
Filesize
135KB
MD57544e39cc8bbdc9bba98daacf5fb5aa8
SHA1f665f8ef7775d8c1cc489da076baaf0c440d2106
SHA256696a5376029d6a0d8972db3ee0d79169c32f8a004195fff16c1f8dd9dec9445a
SHA51241a1f6c287ef38557782930d992cc6c7a3dc731992515476fb7ee5dda5126e8d32c8d758d6b3d84f755a7975af08b50b5f67b656b6bc4be8aeb908ec9210bf5f
-
Filesize
135KB
MD5009c17e68955d8b60d80c573476edf28
SHA1e14dcf077af6827d6c4364c1694c08ce9558fc93
SHA256e262faccc9aa03b9587d5a6d0a8479e6eddcb6467d299440357800e0fb99abcc
SHA512187816ea816f73fab22e51a36c2ffc324d955d54467c40e92455f94ddb12a368fa86225f0351a81b2413826d3f33eb8b69fba7afe1d8dc4efe335180e45480b7