Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
-
Size
208KB
-
MD5
7b9b9853ef5877b00cc43e9760590ab0
-
SHA1
7b4893137e7518b060ee6a0e185e53d779d841ad
-
SHA256
e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb
-
SHA512
01b4da351de22899f9152375230cb77f7f8a1bdb3de2ebf67971c0abf6b08e5c55d244a7f0e32c48d39c1d0c6ae9f6163616e6ef0ce58740007998ce4f4f4c1b
-
SSDEEP
6144:YwDrqb3DppfVf07P1uxsyAIxh6SqWyKQEj1:Ywi/PNf07P1aQIxh6Sq/KQC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation KDOOYM.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation JBDB.exe -
Executes dropped EXE 3 IoCs
pid Process 1540 KDOOYM.exe 1980 JBDB.exe 2776 UCK.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\UCK.exe JBDB.exe File opened for modification C:\windows\SysWOW64\UCK.exe JBDB.exe File created C:\windows\SysWOW64\UCK.exe.bat JBDB.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\windows\JBDB.exe.bat KDOOYM.exe File created C:\windows\KDOOYM.exe NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe File opened for modification C:\windows\KDOOYM.exe NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe File created C:\windows\KDOOYM.exe.bat NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe File created C:\windows\JBDB.exe KDOOYM.exe File opened for modification C:\windows\JBDB.exe KDOOYM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 376 4580 WerFault.exe 84 3328 1540 WerFault.exe 93 1636 1980 WerFault.exe 99 3112 2776 WerFault.exe 104 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 1540 KDOOYM.exe 1540 KDOOYM.exe 1980 JBDB.exe 1980 JBDB.exe 2776 UCK.exe 2776 UCK.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 1540 KDOOYM.exe 1540 KDOOYM.exe 1980 JBDB.exe 1980 JBDB.exe 2776 UCK.exe 2776 UCK.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4580 wrote to memory of 2312 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 89 PID 4580 wrote to memory of 2312 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 89 PID 4580 wrote to memory of 2312 4580 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 89 PID 2312 wrote to memory of 1540 2312 cmd.exe 93 PID 2312 wrote to memory of 1540 2312 cmd.exe 93 PID 2312 wrote to memory of 1540 2312 cmd.exe 93 PID 1540 wrote to memory of 4036 1540 KDOOYM.exe 95 PID 1540 wrote to memory of 4036 1540 KDOOYM.exe 95 PID 1540 wrote to memory of 4036 1540 KDOOYM.exe 95 PID 4036 wrote to memory of 1980 4036 cmd.exe 99 PID 4036 wrote to memory of 1980 4036 cmd.exe 99 PID 4036 wrote to memory of 1980 4036 cmd.exe 99 PID 1980 wrote to memory of 4160 1980 JBDB.exe 100 PID 1980 wrote to memory of 4160 1980 JBDB.exe 100 PID 1980 wrote to memory of 4160 1980 JBDB.exe 100 PID 4160 wrote to memory of 2776 4160 cmd.exe 104 PID 4160 wrote to memory of 2776 4160 cmd.exe 104 PID 4160 wrote to memory of 2776 4160 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KDOOYM.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\windows\KDOOYM.exeC:\windows\KDOOYM.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JBDB.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\windows\JBDB.exeC:\windows\JBDB.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCK.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\windows\SysWOW64\UCK.exeC:\windows\system32\UCK.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 8448⤵
- Program crash
PID:3112
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 12966⤵
- Program crash
PID:1636
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 13124⤵
- Program crash
PID:3328
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 9482⤵
- Program crash
PID:376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4580 -ip 45801⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1540 -ip 15401⤵PID:1236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1980 -ip 19801⤵PID:1220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2776 -ip 27761⤵PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD51de74250374e438bd4705459f429ba70
SHA12a577f9af86c54ceacb7478d27411187cdc74bf8
SHA2565759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7
SHA51257740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3
-
Filesize
208KB
MD51de74250374e438bd4705459f429ba70
SHA12a577f9af86c54ceacb7478d27411187cdc74bf8
SHA2565759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7
SHA51257740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3
-
Filesize
208KB
MD5f0916a27a006ca4086b0ca7e3ab2cb28
SHA1f4487d1b10f0e3ceaa09bf234407fbd24b56dcea
SHA256cf745c426320203325bc4ddd136d893c35912374b5678499726b64ed081b8aa1
SHA51265491a45b56e712b790f372246379f3c151e820f350f2e4aaf1f2ba038e4434ac5bcfeba214f6b8d0dd7f194cf77e7685d9061c4c9fd517f27f7420c69a79d53
-
Filesize
208KB
MD51ca4ae0742333c645147b76e36d9931d
SHA1c5b5f0ead671ad7ba877a055b7e5df6dd9d63808
SHA25671e4cd3853f6b6ba20dd8a828f52281f5d2a7de361a0acf726bc4b936b24dc04
SHA5121a85fe1d1bf9a03a1af4150bcc8f086cd5e92dfa4ee4efe6f81d483712424e40a0dbdd6b0f1ddddd2d3c92782e11e800afc786eed46c52be26f60a981f002fb8
-
Filesize
208KB
MD51de74250374e438bd4705459f429ba70
SHA12a577f9af86c54ceacb7478d27411187cdc74bf8
SHA2565759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7
SHA51257740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3
-
Filesize
54B
MD556a4376e57e54742e94780170a49837c
SHA1ca484b6c19feccdb6db2730ac3ba3d356eb8200e
SHA256347aea07e79f03824e97081346c8e0e62e40e9c61c18daa93bf409bf79140b1d
SHA51272f66c768979db760468fbe01a8e3ee5dd77874e257a738b6fda7e87d1c38baa1b7d67d4fbb36e1ab334c2b8563e3627d50f1832780ceb11c73bcae379986712
-
Filesize
208KB
MD5f0916a27a006ca4086b0ca7e3ab2cb28
SHA1f4487d1b10f0e3ceaa09bf234407fbd24b56dcea
SHA256cf745c426320203325bc4ddd136d893c35912374b5678499726b64ed081b8aa1
SHA51265491a45b56e712b790f372246379f3c151e820f350f2e4aaf1f2ba038e4434ac5bcfeba214f6b8d0dd7f194cf77e7685d9061c4c9fd517f27f7420c69a79d53
-
Filesize
58B
MD502f7bf036032fc8a2a2bac206f781157
SHA12cb016b570f2dbb2cfcae0f92e786f8a97ba78e7
SHA256680efdad23da030067b130bd7aed9270cc54a6beafc04f00f592832e1275eccf
SHA5125b9eada6eb6b11093e92a6a81be16cbe8885fabc8d9db67acd736b583ef2e243e49423f849bb78fb90bff7ea7ec118b036103b463f80ed898d4627a4c39080f3
-
Filesize
208KB
MD51ca4ae0742333c645147b76e36d9931d
SHA1c5b5f0ead671ad7ba877a055b7e5df6dd9d63808
SHA25671e4cd3853f6b6ba20dd8a828f52281f5d2a7de361a0acf726bc4b936b24dc04
SHA5121a85fe1d1bf9a03a1af4150bcc8f086cd5e92dfa4ee4efe6f81d483712424e40a0dbdd6b0f1ddddd2d3c92782e11e800afc786eed46c52be26f60a981f002fb8
-
Filesize
70B
MD53eefb5e6fec4e2942911658edbad5146
SHA15fa67a0cd95affcc508111e622b522a107bfb508
SHA2560ac955f6bbc4782bde6cef5702b1d01b5012a433f8c84417e047c9a93213f92c
SHA512b2db571dbd204638b4eb427af834ae9c479262eb34003e7d35b6dbcc975e7f3465644323fc9855514aa8b19407676d51b52bec779ef83afbc28519bcbcde1be8