Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.702ee218cab1cca6d1c9d68681cef620.exe
-
Size
5.5MB
-
MD5
702ee218cab1cca6d1c9d68681cef620
-
SHA1
798ee2288f421c71062610ec89d44aa2b66c0f0c
-
SHA256
9a23c61502141ca5a2be7d1649f740041e1c836fbfbb291726fbb083f8e91f34
-
SHA512
5fdaf8a8416c359bd1d2a4b8d24ab0817145859703061ab121911147e027c0f5bb9a800aa2154ca85398fbf529216f312a0ed5755aa73dba5b7381ce07145d79
-
SSDEEP
98304:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7c:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7oM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" NEAS.702ee218cab1cca6d1c9d68681cef620.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" NEAS.702ee218cab1cca6d1c9d68681cef620.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QIAFAGXK = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QIAFAGXK = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QIAFAGXK = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 2504 avscan.exe 1128 avscan.exe 4432 hosts.exe 1408 hosts.exe 3844 avscan.exe 5024 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" NEAS.702ee218cab1cca6d1c9d68681cef620.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs NEAS.702ee218cab1cca6d1c9d68681cef620.exe File created \??\c:\windows\W_X_C.bat NEAS.702ee218cab1cca6d1c9d68681cef620.exe File opened for modification C:\Windows\hosts.exe NEAS.702ee218cab1cca6d1c9d68681cef620.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings NEAS.702ee218cab1cca6d1c9d68681cef620.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 1840 REG.exe 4848 REG.exe 3568 REG.exe 4280 REG.exe 3400 REG.exe 4700 REG.exe 2260 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 2504 avscan.exe 4432 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 2504 avscan.exe 1128 avscan.exe 4432 hosts.exe 1408 hosts.exe 3844 avscan.exe 5024 hosts.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 684 wrote to memory of 4280 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 89 PID 684 wrote to memory of 4280 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 89 PID 684 wrote to memory of 4280 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 89 PID 684 wrote to memory of 2504 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 92 PID 684 wrote to memory of 2504 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 92 PID 684 wrote to memory of 2504 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 92 PID 2504 wrote to memory of 1128 2504 avscan.exe 93 PID 2504 wrote to memory of 1128 2504 avscan.exe 93 PID 2504 wrote to memory of 1128 2504 avscan.exe 93 PID 2504 wrote to memory of 1364 2504 avscan.exe 98 PID 2504 wrote to memory of 1364 2504 avscan.exe 98 PID 2504 wrote to memory of 1364 2504 avscan.exe 98 PID 684 wrote to memory of 2180 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 95 PID 684 wrote to memory of 2180 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 95 PID 684 wrote to memory of 2180 684 NEAS.702ee218cab1cca6d1c9d68681cef620.exe 95 PID 1364 wrote to memory of 4432 1364 cmd.exe 100 PID 1364 wrote to memory of 4432 1364 cmd.exe 100 PID 1364 wrote to memory of 4432 1364 cmd.exe 100 PID 2180 wrote to memory of 1408 2180 cmd.exe 101 PID 2180 wrote to memory of 1408 2180 cmd.exe 101 PID 2180 wrote to memory of 1408 2180 cmd.exe 101 PID 4432 wrote to memory of 3844 4432 hosts.exe 102 PID 4432 wrote to memory of 3844 4432 hosts.exe 102 PID 4432 wrote to memory of 3844 4432 hosts.exe 102 PID 4432 wrote to memory of 4416 4432 hosts.exe 104 PID 4432 wrote to memory of 4416 4432 hosts.exe 104 PID 4432 wrote to memory of 4416 4432 hosts.exe 104 PID 1364 wrote to memory of 2620 1364 cmd.exe 106 PID 1364 wrote to memory of 2620 1364 cmd.exe 106 PID 1364 wrote to memory of 2620 1364 cmd.exe 106 PID 2180 wrote to memory of 5004 2180 cmd.exe 107 PID 2180 wrote to memory of 5004 2180 cmd.exe 107 PID 2180 wrote to memory of 5004 2180 cmd.exe 107 PID 4416 wrote to memory of 5024 4416 cmd.exe 108 PID 4416 wrote to memory of 5024 4416 cmd.exe 108 PID 4416 wrote to memory of 5024 4416 cmd.exe 108 PID 4416 wrote to memory of 412 4416 cmd.exe 109 PID 4416 wrote to memory of 412 4416 cmd.exe 109 PID 4416 wrote to memory of 412 4416 cmd.exe 109 PID 2504 wrote to memory of 3400 2504 avscan.exe 111 PID 2504 wrote to memory of 3400 2504 avscan.exe 111 PID 2504 wrote to memory of 3400 2504 avscan.exe 111 PID 4432 wrote to memory of 4700 4432 hosts.exe 113 PID 4432 wrote to memory of 4700 4432 hosts.exe 113 PID 4432 wrote to memory of 4700 4432 hosts.exe 113 PID 2504 wrote to memory of 2260 2504 avscan.exe 115 PID 2504 wrote to memory of 2260 2504 avscan.exe 115 PID 2504 wrote to memory of 2260 2504 avscan.exe 115 PID 4432 wrote to memory of 1840 4432 hosts.exe 117 PID 4432 wrote to memory of 1840 4432 hosts.exe 117 PID 4432 wrote to memory of 1840 4432 hosts.exe 117 PID 2504 wrote to memory of 4848 2504 avscan.exe 120 PID 2504 wrote to memory of 4848 2504 avscan.exe 120 PID 2504 wrote to memory of 4848 2504 avscan.exe 120 PID 4432 wrote to memory of 3568 4432 hosts.exe 122 PID 4432 wrote to memory of 3568 4432 hosts.exe 122 PID 4432 wrote to memory of 3568 4432 hosts.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:412
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4700
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1840
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3568
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2620
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3400
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2260
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:5004
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD53c7aa3204cbadfc5f487cefb49ba6c62
SHA122d31634cceef86d09508344b8528c3d84ea2f63
SHA25648ca9ad65159752d546070c7ad62c8bda772f98f8c79c811a7baa9b8c5369096
SHA512b863e522806582a8b4ad460a0bcae45cb258a66953f382db495ad7999cb511a0b1edf83e98218e785f20d52448647621ddfaf0b174b4ed92ad44ca1cc57b5649
-
Filesize
5.5MB
MD53c7aa3204cbadfc5f487cefb49ba6c62
SHA122d31634cceef86d09508344b8528c3d84ea2f63
SHA25648ca9ad65159752d546070c7ad62c8bda772f98f8c79c811a7baa9b8c5369096
SHA512b863e522806582a8b4ad460a0bcae45cb258a66953f382db495ad7999cb511a0b1edf83e98218e785f20d52448647621ddfaf0b174b4ed92ad44ca1cc57b5649
-
Filesize
5.5MB
MD53c7aa3204cbadfc5f487cefb49ba6c62
SHA122d31634cceef86d09508344b8528c3d84ea2f63
SHA25648ca9ad65159752d546070c7ad62c8bda772f98f8c79c811a7baa9b8c5369096
SHA512b863e522806582a8b4ad460a0bcae45cb258a66953f382db495ad7999cb511a0b1edf83e98218e785f20d52448647621ddfaf0b174b4ed92ad44ca1cc57b5649
-
Filesize
5.5MB
MD53c7aa3204cbadfc5f487cefb49ba6c62
SHA122d31634cceef86d09508344b8528c3d84ea2f63
SHA25648ca9ad65159752d546070c7ad62c8bda772f98f8c79c811a7baa9b8c5369096
SHA512b863e522806582a8b4ad460a0bcae45cb258a66953f382db495ad7999cb511a0b1edf83e98218e785f20d52448647621ddfaf0b174b4ed92ad44ca1cc57b5649
-
Filesize
195B
MD5ea493a9a3633e09ef54322e6bec33b4c
SHA10d0b5913b97c52c58d55740e52c84a07ba6fbfc7
SHA2561ed5d55178d379945855f67de151c1a22a7b334daa8513c198edd4120203c3da
SHA51253eaf502921739c73f2b2410d761ce26af6a7ba4d8ff8d72b9a32ec56967ed95e5cc17abccb8c690ffcdecf4dc726e94f056445f28d6dcf2c3f7441a7d7c688b
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
5.5MB
MD5f4cc3f535970c2f11a8b7afcca796d17
SHA164ab94fd6a6cb4f5c48a33d4f0bb90b57fe1e76b
SHA2568218e59c4394c7fdd266bae3798b65fc461b1e671c29074b953714da7ba343b2
SHA512f084f169511595ec3536fb7f958105836d7c3eb6807561ed85016f0e002269e5370ee3817d8517f1e123304461a7755a15b1b20cf8c3f98dd350f3078a4331f0
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b