Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 19:22

General

  • Target

    NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe

  • Size

    188KB

  • MD5

    6bfee40e596a6c1159d3b26387bb67d0

  • SHA1

    bf79cef3a20a3d337d2f3f54be0948e6d0363025

  • SHA256

    7d64cc2887a9be7e1740059a02b8b70c8a045aefdfe7ac18e23e9bdcc2cd81db

  • SHA512

    a42907c35c7e78184aa0a3b157c4103f15f376f5a9ba8c7221f0508261637a71630837e43fc69f89c3b483d7b782707ed0f209c07b011695dd2d3a73fc4c3514

  • SSDEEP

    3072:Rc2YlPYqPt7EYjQ9oDJG7zdeGBYIGTPCMJLj9uqgnaIEXvDcGH2abADBS:qf5Pt7VOe7CMJVFgaX/FWabAo

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe
      "C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe

    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe

    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe

    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

  • memory/568-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/568-13-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/4904-12-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4904-15-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4904-20-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4904-21-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4904-27-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB