Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    193s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 17:26

General

  • Target

    NEAS.b63ceee432db98368c63d184cc5b43e0.exe

  • Size

    436KB

  • MD5

    b63ceee432db98368c63d184cc5b43e0

  • SHA1

    d65f91820b8a1bcb184f74bd29b1064318bd1df5

  • SHA256

    37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb

  • SHA512

    c534dcd220f67078c34c6ca0391c34d357669dfaa05578e26b4663edc97d9bab93125f3f2ed460cfe76c4be1eeea8faf3280b44d8e7d646e70f31b4232a8cbaf

  • SSDEEP

    6144:8vEN2U+T6i5LirrllHy4HUcMQY6Pj5q8deoJVP6Y0YB3YFy:OENN+T5xYrllrU7QY6U8zVP6Y53B

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3392
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3796
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:648
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:412
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4324
          • C:\Windows\SysWOW64\at.exe
            at 22:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1792
            • C:\Windows\SysWOW64\at.exe
              at 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3060
              • C:\Windows\SysWOW64\at.exe
                at 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2212

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          436KB

          MD5

          0f733a832d99fcc57bf27e6c660d8e78

          SHA1

          75177fa940d003dab7ab3cab289f82207874441b

          SHA256

          ea25e75738dc466e37c164313a914d47f66cb90d7676d61e34befd8a45ac11a1

          SHA512

          b08827704c347c2fbfd3a632cca0212dd4c2fd8c89a787d64f4ee6c1dce7b0cf31c45c6b0aeca69be2d7fba2a5d1c108192874706baaa3e90a5af0e4fffc18ee

        • C:\Windows\System\explorer.exe

          Filesize

          436KB

          MD5

          4c823369734a6e24f20ed3bfc6982317

          SHA1

          b73436b110898196845307d8ff1e54a0d71a5911

          SHA256

          cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3

          SHA512

          e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704

        • C:\Windows\System\spoolsv.exe

          Filesize

          436KB

          MD5

          d40144e316ffdbc501e52ee4c9f39909

          SHA1

          a9a2d6cc89c64699f88eb31ad5abee64a674a47f

          SHA256

          879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

          SHA512

          97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

        • C:\Windows\System\spoolsv.exe

          Filesize

          436KB

          MD5

          d40144e316ffdbc501e52ee4c9f39909

          SHA1

          a9a2d6cc89c64699f88eb31ad5abee64a674a47f

          SHA256

          879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

          SHA512

          97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

        • C:\Windows\System\spoolsv.exe

          Filesize

          436KB

          MD5

          d40144e316ffdbc501e52ee4c9f39909

          SHA1

          a9a2d6cc89c64699f88eb31ad5abee64a674a47f

          SHA256

          879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

          SHA512

          97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

        • C:\Windows\System\svchost.exe

          Filesize

          436KB

          MD5

          706786031f25ff3d929f675b722a4bec

          SHA1

          ef0592f43a14eb12604dcfd83c5d2dc5812c9b32

          SHA256

          81f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f

          SHA512

          bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3

        • \??\c:\windows\system\explorer.exe

          Filesize

          436KB

          MD5

          4c823369734a6e24f20ed3bfc6982317

          SHA1

          b73436b110898196845307d8ff1e54a0d71a5911

          SHA256

          cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3

          SHA512

          e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704

        • \??\c:\windows\system\spoolsv.exe

          Filesize

          436KB

          MD5

          d40144e316ffdbc501e52ee4c9f39909

          SHA1

          a9a2d6cc89c64699f88eb31ad5abee64a674a47f

          SHA256

          879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

          SHA512

          97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

        • \??\c:\windows\system\svchost.exe

          Filesize

          436KB

          MD5

          706786031f25ff3d929f675b722a4bec

          SHA1

          ef0592f43a14eb12604dcfd83c5d2dc5812c9b32

          SHA256

          81f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f

          SHA512

          bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3