Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.fa35b2daeea4893c39c7757406645af0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.fa35b2daeea4893c39c7757406645af0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.fa35b2daeea4893c39c7757406645af0.exe
-
Size
473KB
-
MD5
fa35b2daeea4893c39c7757406645af0
-
SHA1
5a4db2dfa8b4065ec4a07eac157d9d0b9c6609a7
-
SHA256
8ef16d53048177e8d3084bb8bbc4c1f7f291b56d25e15f6523aab7712805856e
-
SHA512
a24a57ea24a1751bed2186c267190ecc18feefed2419a94566d7839b8034fa6fe9c695a4b0de7bbf73bb6486d857eb61016733f2cca93238dd305bee7f23edf1
-
SSDEEP
1536:ur3Z5IfQmv81a1xyXHZ+NGQSLNmCm6oyz7jBd7qDmbNPMJAVC+++6:yJOfQm01mxyXHZKG7pm6j77C
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2912 attrib.exe -
Deletes itself 1 IoCs
pid Process 1036 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2796 rwmhost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Debug\rwmhost.exe NEAS.fa35b2daeea4893c39c7757406645af0.exe File opened for modification C:\Windows\Debug\rwmhost.exe NEAS.fa35b2daeea4893c39c7757406645af0.exe File opened for modification C:\Windows\Debug\rwmhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2912 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 28 PID 2140 wrote to memory of 2912 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 28 PID 2140 wrote to memory of 2912 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 28 PID 2140 wrote to memory of 2912 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 28 PID 2140 wrote to memory of 1036 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 31 PID 2140 wrote to memory of 1036 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 31 PID 2140 wrote to memory of 1036 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 31 PID 2140 wrote to memory of 1036 2140 NEAS.fa35b2daeea4893c39c7757406645af0.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fa35b2daeea4893c39c7757406645af0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fa35b2daeea4893c39c7757406645af0.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\rwmhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NEASFA~1.EXE > nul2⤵
- Deletes itself
PID:1036
-
-
C:\Windows\Debug\rwmhost.exeC:\Windows\Debug\rwmhost.exe1⤵
- Executes dropped EXE
PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
473KB
MD5226563f4ad3686cf36b8679b29f4de67
SHA13b325b0458f73e5b63df449ea4e7fbaf121963fa
SHA2568d978e747c7672cac1a44c72e4b64b1b3b1ae1a428bde1b1426ecc9b1daa131b
SHA51277c617b9bd0ff6584b8ddd1f944875863b0df5f52afc87ca055183bbccc23482eb6292dd6dc07075f37ebc1cee1ef4e6f2f9a5bf122373ef6168f48758d2f3be
-
Filesize
473KB
MD5226563f4ad3686cf36b8679b29f4de67
SHA13b325b0458f73e5b63df449ea4e7fbaf121963fa
SHA2568d978e747c7672cac1a44c72e4b64b1b3b1ae1a428bde1b1426ecc9b1daa131b
SHA51277c617b9bd0ff6584b8ddd1f944875863b0df5f52afc87ca055183bbccc23482eb6292dd6dc07075f37ebc1cee1ef4e6f2f9a5bf122373ef6168f48758d2f3be