Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
187s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 08:22
Behavioral task
behavioral1
Sample
NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe
Resource
win7-20230831-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe
-
Size
33KB
-
MD5
efc54e3945c5b1d0d7f8c33d78eab2c0
-
SHA1
2888811f6f0a877b74759cc9d9aa8bd4a162312e
-
SHA256
8c5e3b007d068ccb2c9751dc04e8157f36f6d198b1720f090e1a579bac9e483a
-
SHA512
eec1f690fe27a9edd5e6abe2fb1a426bb78f9682e73c18e585467ffc06fc983972d7e6922326a5015c0f388ac2ef4bbfb822145e7e217f226aa7779a7545d402
-
SSDEEP
768:j5Gsq/XQGcoGVzUDWbcvZOkglUWJY3ggxfha5:j5GD/XPgQGcvZORS3g+
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0001000000022890-10.dat aspack_v212_v242 -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\mip.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\TabTip.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3180 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 81 PID 2988 wrote to memory of 3180 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 81 PID 2988 wrote to memory of 3180 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 81 PID 2988 wrote to memory of 4864 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 82 PID 2988 wrote to memory of 4864 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 82 PID 2988 wrote to memory of 4864 2988 NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\at.exeat 1 /delete /yes2⤵PID:3180
-
-
C:\Windows\SysWOW64\at.exeat 9:21:43 PM "C:\Users\Admin\AppData\Local\Temp\NEAS.efc54e3945c5b1d0d7f8c33d78eab2c0.exe"2⤵PID:4864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5caa48aad8f6e134146378bca699841e2
SHA14e32e1d7a80feddca5d887a3d5182064fb61a58b
SHA25681e6cfdbcf1fb3a5d0b7deb0f4a65d3387a160e8f1ba43814b5c972b5137aa40
SHA51281107ff421a8b29b2fb2fd06993a4df197991484d4f7b18929b68e6822c8938024bc06114e32b3b88d19bcbeae4fc45c4a125c7612b9469c087a3ee9c8ab0629