Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe
-
Size
25KB
-
MD5
e6e5d4840250a3eb75f6951a813f8f30
-
SHA1
6bac39c696db3cc27bae55dc9ecc20aefe61585e
-
SHA256
0dd63722602b73f6738822e09e832b64aa1b116e7f72204e5e63bb288f4ea364
-
SHA512
bd858c2337def7e1b46ba8ba330e9a8b97970a555a5ceee34cfd43e12cf58176f2def727becaa8b352507119683cb1a603230e520ad3cdbbb26fd7972756966c
-
SSDEEP
384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjvR:8Q3LotOPNSQVwVVxGKEvKHrVR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2120 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe" NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe" spoolsv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\spoolsv.exe NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe File created C:\Windows\spoolsv.exe spoolsv.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\onsapay.com\loader spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1668 NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe Token: SeDebugPrivilege 2120 spoolsv.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2120 1668 NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe 28 PID 1668 wrote to memory of 2120 1668 NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe 28 PID 1668 wrote to memory of 2120 1668 NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe 28 PID 1668 wrote to memory of 2120 1668 NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e6e5d4840250a3eb75f6951a813f8f30.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\spoolsv.exe"C:\Windows\spoolsv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5aaad60cc4396d9549abdef568e5677f6
SHA11e2f33c76fe121f24a5c9f1d8aa86a15e3904d82
SHA2562590ceb90e84456299d26149753f25db1307b9007b83487ee8a33f93c24fbfa9
SHA5124632b19c94fc2e684099918fa6dcfd71916cde5d2c979b811d3c48fe00b315b050eafe5e6b3d56d6ff0827a12d28a3f08f6d48587ae8ea097574408288b716fc
-
Filesize
25KB
MD5aaad60cc4396d9549abdef568e5677f6
SHA11e2f33c76fe121f24a5c9f1d8aa86a15e3904d82
SHA2562590ceb90e84456299d26149753f25db1307b9007b83487ee8a33f93c24fbfa9
SHA5124632b19c94fc2e684099918fa6dcfd71916cde5d2c979b811d3c48fe00b315b050eafe5e6b3d56d6ff0827a12d28a3f08f6d48587ae8ea097574408288b716fc
-
Filesize
25KB
MD582071fd2379c64429acf376487fcddff
SHA12da42c7eaa62ecee65757b441c939f12b52228fb
SHA256272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8
SHA512194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb
-
Filesize
25KB
MD582071fd2379c64429acf376487fcddff
SHA12da42c7eaa62ecee65757b441c939f12b52228fb
SHA256272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8
SHA512194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb