Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
193s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
-
Size
436KB
-
MD5
b63ceee432db98368c63d184cc5b43e0
-
SHA1
d65f91820b8a1bcb184f74bd29b1064318bd1df5
-
SHA256
37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb
-
SHA512
c534dcd220f67078c34c6ca0391c34d357669dfaa05578e26b4663edc97d9bab93125f3f2ed460cfe76c4be1eeea8faf3280b44d8e7d646e70f31b4232a8cbaf
-
SSDEEP
6144:8vEN2U+T6i5LirrllHy4HUcMQY6Pj5q8deoJVP6Y0YB3YFy:OENN+T5xYrllrU7QY6U8zVP6Y53B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3796 explorer.exe 648 spoolsv.exe 412 svchost.exe 4324 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe NEAS.b63ceee432db98368c63d184cc5b43e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe 412 svchost.exe 412 svchost.exe 3796 explorer.exe 3796 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3796 explorer.exe 412 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 3796 explorer.exe 3796 explorer.exe 648 spoolsv.exe 648 spoolsv.exe 412 svchost.exe 412 svchost.exe 4324 spoolsv.exe 4324 spoolsv.exe 3796 explorer.exe 3796 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3392 wrote to memory of 3796 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 89 PID 3392 wrote to memory of 3796 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 89 PID 3392 wrote to memory of 3796 3392 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 89 PID 3796 wrote to memory of 648 3796 explorer.exe 91 PID 3796 wrote to memory of 648 3796 explorer.exe 91 PID 3796 wrote to memory of 648 3796 explorer.exe 91 PID 648 wrote to memory of 412 648 spoolsv.exe 92 PID 648 wrote to memory of 412 648 spoolsv.exe 92 PID 648 wrote to memory of 412 648 spoolsv.exe 92 PID 412 wrote to memory of 4324 412 svchost.exe 93 PID 412 wrote to memory of 4324 412 svchost.exe 93 PID 412 wrote to memory of 4324 412 svchost.exe 93 PID 412 wrote to memory of 1792 412 svchost.exe 95 PID 412 wrote to memory of 1792 412 svchost.exe 95 PID 412 wrote to memory of 1792 412 svchost.exe 95 PID 412 wrote to memory of 3060 412 svchost.exe 100 PID 412 wrote to memory of 3060 412 svchost.exe 100 PID 412 wrote to memory of 3060 412 svchost.exe 100 PID 412 wrote to memory of 2212 412 svchost.exe 102 PID 412 wrote to memory of 2212 412 svchost.exe 102 PID 412 wrote to memory of 2212 412 svchost.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
C:\Windows\SysWOW64\at.exeat 22:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1792
-
-
C:\Windows\SysWOW64\at.exeat 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3060
-
-
C:\Windows\SysWOW64\at.exeat 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2212
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD50f733a832d99fcc57bf27e6c660d8e78
SHA175177fa940d003dab7ab3cab289f82207874441b
SHA256ea25e75738dc466e37c164313a914d47f66cb90d7676d61e34befd8a45ac11a1
SHA512b08827704c347c2fbfd3a632cca0212dd4c2fd8c89a787d64f4ee6c1dce7b0cf31c45c6b0aeca69be2d7fba2a5d1c108192874706baaa3e90a5af0e4fffc18ee
-
Filesize
436KB
MD54c823369734a6e24f20ed3bfc6982317
SHA1b73436b110898196845307d8ff1e54a0d71a5911
SHA256cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3
SHA512e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704
-
Filesize
436KB
MD5d40144e316ffdbc501e52ee4c9f39909
SHA1a9a2d6cc89c64699f88eb31ad5abee64a674a47f
SHA256879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d
SHA51297b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034
-
Filesize
436KB
MD5d40144e316ffdbc501e52ee4c9f39909
SHA1a9a2d6cc89c64699f88eb31ad5abee64a674a47f
SHA256879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d
SHA51297b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034
-
Filesize
436KB
MD5d40144e316ffdbc501e52ee4c9f39909
SHA1a9a2d6cc89c64699f88eb31ad5abee64a674a47f
SHA256879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d
SHA51297b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034
-
Filesize
436KB
MD5706786031f25ff3d929f675b722a4bec
SHA1ef0592f43a14eb12604dcfd83c5d2dc5812c9b32
SHA25681f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f
SHA512bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3
-
Filesize
436KB
MD54c823369734a6e24f20ed3bfc6982317
SHA1b73436b110898196845307d8ff1e54a0d71a5911
SHA256cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3
SHA512e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704
-
Filesize
436KB
MD5d40144e316ffdbc501e52ee4c9f39909
SHA1a9a2d6cc89c64699f88eb31ad5abee64a674a47f
SHA256879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d
SHA51297b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034
-
Filesize
436KB
MD5706786031f25ff3d929f675b722a4bec
SHA1ef0592f43a14eb12604dcfd83c5d2dc5812c9b32
SHA25681f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f
SHA512bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3