Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.f7360409d0c58f335830de329debb1f0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.f7360409d0c58f335830de329debb1f0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.f7360409d0c58f335830de329debb1f0.exe
-
Size
48KB
-
MD5
f7360409d0c58f335830de329debb1f0
-
SHA1
db093cd04d3f521a49d7b18211e8a4add3f338d9
-
SHA256
58520880af8d86a5c96c276b7365fe9ab1b1e03d6813200e4796fa4403fcc4ed
-
SHA512
6dbdff9bd073d523249819b9681b9bcd72b5f5e1c86e6d5a413527ff600fceab67c4ffac3c2a36494bae113c01390ded1aab75b0c5c829a6ca6fd588cfc0471c
-
SSDEEP
384:dw2nwR2Fbql2alyVzJshA4FNPxXUfgCsApV2WCMuWl84IqGXhh19:dwowR6XaUVlYNPxkfLsApVZRP+4xGXhZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation NEAS.f7360409d0c58f335830de329debb1f0.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 hummy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2672 2716 NEAS.f7360409d0c58f335830de329debb1f0.exe 88 PID 2716 wrote to memory of 2672 2716 NEAS.f7360409d0c58f335830de329debb1f0.exe 88 PID 2716 wrote to memory of 2672 2716 NEAS.f7360409d0c58f335830de329debb1f0.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f7360409d0c58f335830de329debb1f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f7360409d0c58f335830de329debb1f0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\hummy.exe"C:\Users\Admin\AppData\Local\Temp\hummy.exe"2⤵
- Executes dropped EXE
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5a7da8800511fe22d7eadca9cbdb27358
SHA1971e02d83efe0035be1a7ef211a9bdf07f9f4980
SHA25617a087192d4cb77fdfb74b25115e7c362ae4887d43e6f4520a2adfee0273cf14
SHA51231796da96d1532ea5fc08599061c4dd5f2ff32b82d7f459f056341ed38dc41cc9d055ac3e225645052d38536b499d41cbe6563be3ff0fd0ea297ea56b9758495
-
Filesize
48KB
MD5a7da8800511fe22d7eadca9cbdb27358
SHA1971e02d83efe0035be1a7ef211a9bdf07f9f4980
SHA25617a087192d4cb77fdfb74b25115e7c362ae4887d43e6f4520a2adfee0273cf14
SHA51231796da96d1532ea5fc08599061c4dd5f2ff32b82d7f459f056341ed38dc41cc9d055ac3e225645052d38536b499d41cbe6563be3ff0fd0ea297ea56b9758495
-
Filesize
48KB
MD5a7da8800511fe22d7eadca9cbdb27358
SHA1971e02d83efe0035be1a7ef211a9bdf07f9f4980
SHA25617a087192d4cb77fdfb74b25115e7c362ae4887d43e6f4520a2adfee0273cf14
SHA51231796da96d1532ea5fc08599061c4dd5f2ff32b82d7f459f056341ed38dc41cc9d055ac3e225645052d38536b499d41cbe6563be3ff0fd0ea297ea56b9758495