Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
256s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:20
Behavioral task
behavioral1
Sample
NEAS.669f2618518ce638f4c2abee3b04a0c0.exe
Resource
win7-20231020-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.669f2618518ce638f4c2abee3b04a0c0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
NEAS.669f2618518ce638f4c2abee3b04a0c0.exe
-
Size
73KB
-
MD5
669f2618518ce638f4c2abee3b04a0c0
-
SHA1
4a385e7e0514bc0856386679d8173665e28e63a7
-
SHA256
b07d29ab157869579f705af16fe0cc4f59aef6eca1fd99eeb2eee2532ca4a0be
-
SHA512
53e4e74f324ddb9d0344ae82ca0e6eb2e257f02de3e660ac2300bbe79b193d35e868fd1167c7c7040689f7d4e354991d9c85d32adec038ba63d7ef7f16b3ee92
-
SSDEEP
1536:X555555555555pmgSeGDjtQhnwmmB0yJMqqU+2bbbAV2/S2mr3IdE8mne0Avu5ry:4MSjOnrmBxMqqDL2/mr3IdE8we0Avu5h
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kqxlnosmwnm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.669f2618518ce638f4c2abee3b04a0c0.exe" NEAS.669f2618518ce638f4c2abee3b04a0c0.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\X: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\Y: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\A: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\G: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\I: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\O: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\R: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\H: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\N: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\P: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\U: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\W: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\B: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\V: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\Z: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\Q: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\T: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\E: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\J: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\K: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\L: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe File opened (read-only) \??\M: NEAS.669f2618518ce638f4c2abee3b04a0c0.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString NEAS.669f2618518ce638f4c2abee3b04a0c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier NEAS.669f2618518ce638f4c2abee3b04a0c0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2544 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 28 PID 2392 wrote to memory of 2544 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 28 PID 2392 wrote to memory of 2544 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 28 PID 2392 wrote to memory of 2544 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 28 PID 2392 wrote to memory of 2532 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 31 PID 2392 wrote to memory of 2532 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 31 PID 2392 wrote to memory of 2532 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 31 PID 2392 wrote to memory of 2532 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 31 PID 2392 wrote to memory of 652 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 33 PID 2392 wrote to memory of 652 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 33 PID 2392 wrote to memory of 652 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 33 PID 2392 wrote to memory of 652 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 33 PID 2392 wrote to memory of 436 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 35 PID 2392 wrote to memory of 436 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 35 PID 2392 wrote to memory of 436 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 35 PID 2392 wrote to memory of 436 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 35 PID 2392 wrote to memory of 1756 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 37 PID 2392 wrote to memory of 1756 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 37 PID 2392 wrote to memory of 1756 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 37 PID 2392 wrote to memory of 1756 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 37 PID 2392 wrote to memory of 2536 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 39 PID 2392 wrote to memory of 2536 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 39 PID 2392 wrote to memory of 2536 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 39 PID 2392 wrote to memory of 2536 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 39 PID 2392 wrote to memory of 2648 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 41 PID 2392 wrote to memory of 2648 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 41 PID 2392 wrote to memory of 2648 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 41 PID 2392 wrote to memory of 2648 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 41 PID 2392 wrote to memory of 2864 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 43 PID 2392 wrote to memory of 2864 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 43 PID 2392 wrote to memory of 2864 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 43 PID 2392 wrote to memory of 2864 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 43 PID 2392 wrote to memory of 1324 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 45 PID 2392 wrote to memory of 1324 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 45 PID 2392 wrote to memory of 1324 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 45 PID 2392 wrote to memory of 1324 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 45 PID 2392 wrote to memory of 112 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 47 PID 2392 wrote to memory of 112 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 47 PID 2392 wrote to memory of 112 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 47 PID 2392 wrote to memory of 112 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 47 PID 2392 wrote to memory of 1748 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 49 PID 2392 wrote to memory of 1748 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 49 PID 2392 wrote to memory of 1748 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 49 PID 2392 wrote to memory of 1748 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 49 PID 2392 wrote to memory of 1952 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 51 PID 2392 wrote to memory of 1952 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 51 PID 2392 wrote to memory of 1952 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 51 PID 2392 wrote to memory of 1952 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 51 PID 2392 wrote to memory of 1932 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 53 PID 2392 wrote to memory of 1932 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 53 PID 2392 wrote to memory of 1932 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 53 PID 2392 wrote to memory of 1932 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 53 PID 2392 wrote to memory of 1444 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 55 PID 2392 wrote to memory of 1444 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 55 PID 2392 wrote to memory of 1444 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 55 PID 2392 wrote to memory of 1444 2392 NEAS.669f2618518ce638f4c2abee3b04a0c0.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.669f2618518ce638f4c2abee3b04a0c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.669f2618518ce638f4c2abee3b04a0c0.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:436
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1756
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2864
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1324
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1952
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1444
-