Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe
-
Size
2.6MB
-
MD5
882b0e3a6fa4f034d7b920a80fbf0c20
-
SHA1
09700a62c0848d82096e257615fc340fa7f2768f
-
SHA256
78a78d59eebe09d08b4851b830317fa46f06f9ad78290d44dcb1f28fe805be79
-
SHA512
aa685817eb309e6ce39ba7a032c4ec3b00ad6cf32271d7c6eb0b1f37fb4db380317a633f9a746557173c36828718aefefa35ff508a8ef03c9ba43c2ac8caed3a
-
SSDEEP
49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/u:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/u
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 2308 explorer.exe 4940 spoolsv.exe 3640 spoolsv.exe 4316 spoolsv.exe 4752 svchost.exe 3248 spoolsv.exe 4396 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
pid Process 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 2308 explorer.exe 2308 explorer.exe 4940 spoolsv.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 4940 spoolsv.exe 2308 explorer.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 4940 spoolsv.exe 2308 explorer.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 4940 spoolsv.exe 2308 explorer.exe 3640 spoolsv.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3640 spoolsv.exe 4940 spoolsv.exe 4316 spoolsv.exe 4316 spoolsv.exe 2308 explorer.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3640 spoolsv.exe 4940 spoolsv.exe 4316 spoolsv.exe 2308 explorer.exe 4752 svchost.exe 4940 spoolsv.exe 2308 explorer.exe 3248 spoolsv.exe 4396 explorer.exe 4752 svchost.exe 2308 explorer.exe 4752 svchost.exe 2308 explorer.exe 4752 svchost.exe 2308 explorer.exe 4752 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2308 explorer.exe 4752 svchost.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 2308 explorer.exe 2308 explorer.exe 2308 explorer.exe 4940 spoolsv.exe 4940 spoolsv.exe 4940 spoolsv.exe 3640 spoolsv.exe 4316 spoolsv.exe 3640 spoolsv.exe 4316 spoolsv.exe 3640 spoolsv.exe 4316 spoolsv.exe 4752 svchost.exe 4752 svchost.exe 4752 svchost.exe 3248 spoolsv.exe 3248 spoolsv.exe 3248 spoolsv.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3768 wrote to memory of 2308 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 84 PID 3768 wrote to memory of 2308 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 84 PID 3768 wrote to memory of 2308 3768 NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe 84 PID 2308 wrote to memory of 4940 2308 explorer.exe 86 PID 2308 wrote to memory of 4940 2308 explorer.exe 86 PID 2308 wrote to memory of 4940 2308 explorer.exe 86 PID 2308 wrote to memory of 3640 2308 explorer.exe 87 PID 2308 wrote to memory of 3640 2308 explorer.exe 87 PID 2308 wrote to memory of 3640 2308 explorer.exe 87 PID 2308 wrote to memory of 4316 2308 explorer.exe 88 PID 2308 wrote to memory of 4316 2308 explorer.exe 88 PID 2308 wrote to memory of 4316 2308 explorer.exe 88 PID 4940 wrote to memory of 4752 4940 spoolsv.exe 89 PID 4940 wrote to memory of 4752 4940 spoolsv.exe 89 PID 4940 wrote to memory of 4752 4940 spoolsv.exe 89 PID 4752 wrote to memory of 3248 4752 svchost.exe 90 PID 4752 wrote to memory of 3248 4752 svchost.exe 90 PID 4752 wrote to memory of 3248 4752 svchost.exe 90 PID 3248 wrote to memory of 4396 3248 spoolsv.exe 91 PID 3248 wrote to memory of 4396 3248 spoolsv.exe 91 PID 3248 wrote to memory of 4396 3248 spoolsv.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.882b0e3a6fa4f034d7b920a80fbf0c20.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4396
-
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3640
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b467c3c1a1b70578e9505ff4b0909078
SHA10a2b93bba61553b6f017de6c90619a59a36fdfd8
SHA2563c61be9927c01710df4a0342e672d9a5dd0756fb4ec1464eef6ef388b8be04f2
SHA512bc6398f052ef1eac73e30523359752ec35a3fe8e9288b871ef723fd520e9eb327a893b49f65310067c7423080d7ceecbceb4fe499a4388b1d449641dc89b315c
-
Filesize
2.6MB
MD5b467c3c1a1b70578e9505ff4b0909078
SHA10a2b93bba61553b6f017de6c90619a59a36fdfd8
SHA2563c61be9927c01710df4a0342e672d9a5dd0756fb4ec1464eef6ef388b8be04f2
SHA512bc6398f052ef1eac73e30523359752ec35a3fe8e9288b871ef723fd520e9eb327a893b49f65310067c7423080d7ceecbceb4fe499a4388b1d449641dc89b315c
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD52a2f6563221f9d9b8fe8ae7687c3d3e8
SHA1827a94d7741f74e439f3590f00cedb668a8d08b8
SHA2561fcdf52aee38a4253989383cd4860a756127e351d8f86861a00124f9a0840c82
SHA512b721c5f69ddea18a7aef1693e8facd58a16b68f8c16528a8557b32c8457e78e37429e66ce001843ca2063458dd2202a5bb0e6324d65149f7ba1532da869ae144
-
Filesize
2.6MB
MD5685330b009fe0aabf15c7b9e41e14219
SHA160e7b593fd922b572b598ae197c82469b0e5b7e0
SHA2566ffd5b28d0347f18ee641d4d2a6416792720ae927da12d51ce85de7196e2326e
SHA51292ea61d759abfdb682dd12dd0acbb4745d1e4cbc2b59e50ed67e0cd431a08a99b3685d3f7ef76e56370c7ed53e46696c5cfbe0eaa9ec6c53a0b92ccbe7a0aef1
-
Filesize
2.6MB
MD52a2f6563221f9d9b8fe8ae7687c3d3e8
SHA1827a94d7741f74e439f3590f00cedb668a8d08b8
SHA2561fcdf52aee38a4253989383cd4860a756127e351d8f86861a00124f9a0840c82
SHA512b721c5f69ddea18a7aef1693e8facd58a16b68f8c16528a8557b32c8457e78e37429e66ce001843ca2063458dd2202a5bb0e6324d65149f7ba1532da869ae144
-
Filesize
2.6MB
MD5b467c3c1a1b70578e9505ff4b0909078
SHA10a2b93bba61553b6f017de6c90619a59a36fdfd8
SHA2563c61be9927c01710df4a0342e672d9a5dd0756fb4ec1464eef6ef388b8be04f2
SHA512bc6398f052ef1eac73e30523359752ec35a3fe8e9288b871ef723fd520e9eb327a893b49f65310067c7423080d7ceecbceb4fe499a4388b1d449641dc89b315c