Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.8fbde...60.exe

windows7-x64

10

NEAS.8fbde...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 18:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.8fbdebbda4b82495cea9f98cae846760.exe

  • Size

    204KB

  • MD5

    8fbdebbda4b82495cea9f98cae846760

  • SHA1

    983b70886f4a39ccefae72c006afa4c0820fcefe

  • SHA256

    5f8900aec85fbc1470385549dfb6ee83bb440cdb70c490bcc09f24a994cc792f

  • SHA512

    0ce8495d5d6aa8e8b692ef5a97e8f84e2e4a64fe390f96dadad3ac12052926e5f1a40252e16cbd4da9db95241fe1c0dbac2b58b7a7842b06707fbf52c5d6e712

  • SSDEEP

    3072:bm6W8W0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWfgs:qPt4QxL7B9W0c1RCzR/fSmlMD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8fbdebbda4b82495cea9f98cae846760.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\wtcuz.exe
      "C:\Users\Admin\wtcuz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1012

Network

  • flag-us
    DNS
    8.3.197.209.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.3.197.209.in-addr.arpa
    IN PTR
    Response
    8.3.197.209.in-addr.arpa
    IN PTR
    vip0x008map2sslhwcdnnet
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=181AAEFC90AD68193CB5BD5791C16980; domain=.bing.com; expires=Fri, 08-Nov-2024 05:29:56 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7B73118FB8CC449CAF5E841C98A801D6 Ref B: BRU30EDGE0513 Ref C: 2023-10-15T05:29:56Z
    date: Sun, 15 Oct 2023 05:29:55 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=181AAEFC90AD68193CB5BD5791C16980
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 56B609F6D5964DED9C26DC14F65078CD Ref B: BRU30EDGE0513 Ref C: 2023-10-15T05:29:56Z
    date: Sun, 15 Oct 2023 05:29:55 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=181AAEFC90AD68193CB5BD5791C16980
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8CF250AE736A4BEBA76C566460682359 Ref B: BRU30EDGE0513 Ref C: 2023-10-15T05:29:56Z
    date: Sun, 15 Oct 2023 05:29:55 GMT
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    39.142.81.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    39.142.81.104.in-addr.arpa
    IN PTR
    Response
    39.142.81.104.in-addr.arpa
    IN PTR
    a104-81-142-39deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ns1.spansearcher.net
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spansearcher.net
    IN A
    Response
  • flag-us
    DNS
    ns1.spinsearcher.org
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    104.155.138.21
    ns1.player1352.net
    IN A
    107.178.223.183
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.57.101.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.57.101.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    63.141.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.141.182.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=
    tls, http2
    1.9kB
     9.3kB
     21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d0142078998142449811f1b36a793ff4&localId=w:B3ECE6FF-2B87-B2CF-0F51-300E8C2A2AF2&deviceId=6896185928743255&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.3.197.209.in-addr.arpa
    dns
    70 B
     111 B
     1
    1

    DNS Request

    8.3.197.209.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    39.142.81.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    39.142.81.104.in-addr.arpa

  • 8.8.8.8:53
    240.81.21.72.in-addr.arpa
    dns
    71 B
     142 B
     1
    1

    DNS Request

    240.81.21.72.in-addr.arpa

  • 8.8.8.8:53
    ns1.spansearcher.net
    dns
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    66 B
     139 B
     1
    1

    DNS Request

    ns1.spansearcher.net

  • 8.8.8.8:53
    ns1.spinsearcher.org
    dns
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    66 B
     148 B
     1
    1

    DNS Request

    ns1.spinsearcher.org

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    NEAS.8fbdebbda4b82495cea9f98cae846760.exe
    64 B
     96 B
     1
    1

    DNS Request

    ns1.player1352.net

    DNS Response

    104.155.138.21
    107.178.223.183

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    9.57.101.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.57.101.20.in-addr.arpa

  • 8.8.8.8:53
    63.141.182.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    63.141.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\wtcuz.exe
    Filesize

    204KB

    MD5

    f5c56834cf4008b0e62804b6d1ca1670

    SHA1

    3796e65ac8c94d529f19952fa36bd7233d92719f

    SHA256

    3e8dde664762971da8795b104a2cff19b09e98117ec0a7a5d76ea6e9ee3de76c

    SHA512

    59f7c7d7dcadaa50e3645713ce55f7b2559a819ab92e90f6f7484b66049e0c800040d5700ba049d3063670c497a70572544db44df35397c1f17921e501a9cb95

    Download Submit

  • C:\Users\Admin\wtcuz.exe
    Filesize

    204KB

    MD5

    f5c56834cf4008b0e62804b6d1ca1670

    SHA1

    3796e65ac8c94d529f19952fa36bd7233d92719f

    SHA256

    3e8dde664762971da8795b104a2cff19b09e98117ec0a7a5d76ea6e9ee3de76c

    SHA512

    59f7c7d7dcadaa50e3645713ce55f7b2559a819ab92e90f6f7484b66049e0c800040d5700ba049d3063670c497a70572544db44df35397c1f17921e501a9cb95

    Download Submit

  • C:\Users\Admin\wtcuz.exe
    Filesize

    204KB

    MD5

    f5c56834cf4008b0e62804b6d1ca1670

    SHA1

    3796e65ac8c94d529f19952fa36bd7233d92719f

    SHA256

    3e8dde664762971da8795b104a2cff19b09e98117ec0a7a5d76ea6e9ee3de76c

    SHA512

    59f7c7d7dcadaa50e3645713ce55f7b2559a819ab92e90f6f7484b66049e0c800040d5700ba049d3063670c497a70572544db44df35397c1f17921e501a9cb95

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.