Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 19:22 UTC
Behavioral task
behavioral1
Sample
NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe
-
Size
188KB
-
MD5
6bfee40e596a6c1159d3b26387bb67d0
-
SHA1
bf79cef3a20a3d337d2f3f54be0948e6d0363025
-
SHA256
7d64cc2887a9be7e1740059a02b8b70c8a045aefdfe7ac18e23e9bdcc2cd81db
-
SHA512
a42907c35c7e78184aa0a3b157c4103f15f376f5a9ba8c7221f0508261637a71630837e43fc69f89c3b483d7b782707ed0f209c07b011695dd2d3a73fc4c3514
-
SSDEEP
3072:Rc2YlPYqPt7EYjQ9oDJG7zdeGBYIGTPCMJLj9uqgnaIEXvDcGH2abADBS:qf5Pt7VOe7CMJVFgaX/FWabAo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 4904 MWL_DecryptFile.exe -
resource yara_rule behavioral2/memory/568-0-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/files/0x0007000000022d80-6.dat upx behavioral2/files/0x0007000000022d80-11.dat upx behavioral2/memory/4904-12-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x0007000000022d80-14.dat upx behavioral2/memory/568-13-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4904-15-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4904-20-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4904-21-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4904-27-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4904 MWL_DecryptFile.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4904 MWL_DecryptFile.exe 4904 MWL_DecryptFile.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 568 wrote to memory of 4904 568 NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe 86 PID 568 wrote to memory of 4904 568 NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe 86 PID 568 wrote to memory of 4904 568 NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe"C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4904
-
Network
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request126.22.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request27.178.89.13.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
126.22.238.8.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
27.178.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5f870f701ef885f2ffe92eb9766d8df10
SHA15ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612
SHA256903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291
SHA5123e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7
-
Filesize
52KB
MD5f870f701ef885f2ffe92eb9766d8df10
SHA15ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612
SHA256903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291
SHA5123e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7
-
Filesize
52KB
MD5f870f701ef885f2ffe92eb9766d8df10
SHA15ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612
SHA256903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291
SHA5123e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7