Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:19
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.521b06aa293edcd182bb96d327762360.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.521b06aa293edcd182bb96d327762360.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.521b06aa293edcd182bb96d327762360.exe
-
Size
207KB
-
MD5
521b06aa293edcd182bb96d327762360
-
SHA1
31849c52defe64aaba55d04c07d42579aef8cfd1
-
SHA256
ec7d5fce0da7f0940b8b5d7c96414362392999a45714c573210046a8d9450d7e
-
SHA512
e5f0894bd79b361491f4b4eb007ff9c86a6bcbb497b4ca248d639b1ef28d204da5c7f6eebacc9ad0b9179655d023bc8ee9b9b794ed8e9c1de60eaca3dfff2154
-
SSDEEP
3072:MvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unW:MvEN2U+T6i5LirrllHy4HUcMQY6d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1060 explorer.exe 4776 spoolsv.exe 3340 svchost.exe 3156 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe NEAS.521b06aa293edcd182bb96d327762360.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe 1060 explorer.exe 1060 explorer.exe 3340 svchost.exe 3340 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1060 explorer.exe 3340 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 1060 explorer.exe 1060 explorer.exe 4776 spoolsv.exe 4776 spoolsv.exe 3340 svchost.exe 3340 svchost.exe 3156 spoolsv.exe 3156 spoolsv.exe 1060 explorer.exe 1060 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4012 wrote to memory of 1060 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 82 PID 4012 wrote to memory of 1060 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 82 PID 4012 wrote to memory of 1060 4012 NEAS.521b06aa293edcd182bb96d327762360.exe 82 PID 1060 wrote to memory of 4776 1060 explorer.exe 83 PID 1060 wrote to memory of 4776 1060 explorer.exe 83 PID 1060 wrote to memory of 4776 1060 explorer.exe 83 PID 4776 wrote to memory of 3340 4776 spoolsv.exe 85 PID 4776 wrote to memory of 3340 4776 spoolsv.exe 85 PID 4776 wrote to memory of 3340 4776 spoolsv.exe 85 PID 3340 wrote to memory of 3156 3340 svchost.exe 86 PID 3340 wrote to memory of 3156 3340 svchost.exe 86 PID 3340 wrote to memory of 3156 3340 svchost.exe 86 PID 3340 wrote to memory of 1156 3340 svchost.exe 88 PID 3340 wrote to memory of 1156 3340 svchost.exe 88 PID 3340 wrote to memory of 1156 3340 svchost.exe 88 PID 3340 wrote to memory of 5092 3340 svchost.exe 95 PID 3340 wrote to memory of 5092 3340 svchost.exe 95 PID 3340 wrote to memory of 5092 3340 svchost.exe 95 PID 3340 wrote to memory of 2464 3340 svchost.exe 97 PID 3340 wrote to memory of 2464 3340 svchost.exe 97 PID 3340 wrote to memory of 2464 3340 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3156
-
-
C:\Windows\SysWOW64\at.exeat 19:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1156
-
-
C:\Windows\SysWOW64\at.exeat 19:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5092
-
-
C:\Windows\SysWOW64\at.exeat 19:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2464
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53941e83a00348a8eb781d683f5d72f80
SHA15d065b3b6f7e0cfbc3ff7ea3b1034ef9da93a07d
SHA256abc7e2905ee8e007911112b7ad3278b18baf41c5e09cb1eeee397b41af1192b2
SHA5127f6e4453254063a37faed7cafd373b92cd193d9196c9395f32461d5bfe93d3b79bfeccf4cc5405f7ffc93769347b007566d723cd769fd4109e79e18e6efdce5d
-
Filesize
206KB
MD599320e4be2ca44775170fb86421d5f4d
SHA1cc4a42c4a963c40c4fe7c17214def2570f742b5c
SHA256ebcacef6fec00be47e95cbacef0c7dfbec871ffdff143256ce846dd5163461e3
SHA51210ee87570b4fe20e6b3ee38b8e38927afa9a9ad9a112f1cf2dfac95412efe4defed6f95e0900101fe088e4a073a9e2da3ff2de4264f4c9078103f3c7f6ccd95a
-
Filesize
206KB
MD59bf29700ae4b0c6df652b96c3b7a1139
SHA12cdb498ebd9f60489ac9d038db11b49fa433821f
SHA2569fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf
SHA512a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98
-
Filesize
206KB
MD59bf29700ae4b0c6df652b96c3b7a1139
SHA12cdb498ebd9f60489ac9d038db11b49fa433821f
SHA2569fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf
SHA512a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98
-
Filesize
206KB
MD59bf29700ae4b0c6df652b96c3b7a1139
SHA12cdb498ebd9f60489ac9d038db11b49fa433821f
SHA2569fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf
SHA512a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98
-
Filesize
207KB
MD50187e31ca4c6603427e9459f18810261
SHA115bd689d67ebd48b7fabf7374ef8c34e443bdf21
SHA25673e1e12fa869cdf2eba42b0d431dd7b1b2b41ac4e7a21c6f6886df433437ea12
SHA5129ceef735db0b44f9f60bdf8f7529f87aef4615c8821f8999ac079139af3bfb8aba3a2fa9cbb42d823b0c9dc46da31fbf98cb72c7263c6db0c368455ca70a148c
-
Filesize
206KB
MD599320e4be2ca44775170fb86421d5f4d
SHA1cc4a42c4a963c40c4fe7c17214def2570f742b5c
SHA256ebcacef6fec00be47e95cbacef0c7dfbec871ffdff143256ce846dd5163461e3
SHA51210ee87570b4fe20e6b3ee38b8e38927afa9a9ad9a112f1cf2dfac95412efe4defed6f95e0900101fe088e4a073a9e2da3ff2de4264f4c9078103f3c7f6ccd95a
-
Filesize
206KB
MD59bf29700ae4b0c6df652b96c3b7a1139
SHA12cdb498ebd9f60489ac9d038db11b49fa433821f
SHA2569fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf
SHA512a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98
-
Filesize
207KB
MD50187e31ca4c6603427e9459f18810261
SHA115bd689d67ebd48b7fabf7374ef8c34e443bdf21
SHA25673e1e12fa869cdf2eba42b0d431dd7b1b2b41ac4e7a21c6f6886df433437ea12
SHA5129ceef735db0b44f9f60bdf8f7529f87aef4615c8821f8999ac079139af3bfb8aba3a2fa9cbb42d823b0c9dc46da31fbf98cb72c7263c6db0c368455ca70a148c