Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 17:52
Behavioral task
behavioral1
Sample
NEAS.5c0f0962b050399f72bffc051720c165.exe
Resource
win7-20231020-en
General
-
Target
NEAS.5c0f0962b050399f72bffc051720c165.exe
-
Size
195KB
-
MD5
5c0f0962b050399f72bffc051720c165
-
SHA1
58dd5d89316c04d92997e85f8a18fe7b339155e7
-
SHA256
8cedfb1d7306c80e93b354efbcaf1fb1913ac74079bd36e43f753740a7253ae6
-
SHA512
bf681ba986bee0b88345c82e38d4eea22bcaccdd557e066e466fa0fb957b1a0ec18f28a436755be96b404b51da67c268de463f14463f7b45bb76e6e3cf72b830
-
SSDEEP
3072:ulOCNlACeMKV6ETiiXd60iuic+XzoWad5N443nsexP:ugCNSv6p8lec+cTiqsexP
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 1624 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1732 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1732 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 28 PID 1652 wrote to memory of 1732 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 28 PID 1652 wrote to memory of 1732 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 28 PID 1652 wrote to memory of 1732 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 28 PID 1652 wrote to memory of 1624 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 30 PID 1652 wrote to memory of 1624 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 30 PID 1652 wrote to memory of 1624 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 30 PID 1652 wrote to memory of 1624 1652 NEAS.5c0f0962b050399f72bffc051720c165.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5c0f0962b050399f72bffc051720c165.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5c0f0962b050399f72bffc051720c165.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD52881a0d92bd437761d71dffa395545c4
SHA151668272be0f6f2af5e5157d64e89004bc5d14e9
SHA25698aa8fe017e1f48073f8a9d7a888db1c66554e3bb267b807372e052c712d9a97
SHA5120a963d126cdb3e0a284af68c4f3ee20208f0662e6c516373409f6de16bdb4308f18d08bba1429d2d99d68517ca4ac95983f6ff979f8e143fab2ae47d477924b2
-
Filesize
512B
MD5ae2bc1a0af002d17af7a85dce0028d6d
SHA1c484b779aaead2f1d9e3b770fb7766f871a45e81
SHA2569e3db9db2402a201b1ea8f8fbd4e0a857b13188d05685bc56ef7bddd88d26571
SHA512c2ff1d2c53fd5b57b8890fab8db7bb5af42a0a88eb3849843e9ea9178c85579fd80c4d1782372be822be347e8466002b9455ec5d5f0c8a97a60b93e720b11975
-
Filesize
284B
MD54a5e58efa5d50eb3658cd8a64d558aea
SHA1b14308182089777db315be0b5dc6de57ec5afb36
SHA25600b22f9db812019d6371144efbaebebf52315abf59cdfd5a9e0c820ab349cc00
SHA512df1686acbc3e36a00d2c81b33f49198635250a01872c0ff7a875b0caa6f18ff2e65989fc3362e551334f4aa2d76964cba5d3eeac956953aeb842e2a5dd43d194
-
Filesize
284B
MD54a5e58efa5d50eb3658cd8a64d558aea
SHA1b14308182089777db315be0b5dc6de57ec5afb36
SHA25600b22f9db812019d6371144efbaebebf52315abf59cdfd5a9e0c820ab349cc00
SHA512df1686acbc3e36a00d2c81b33f49198635250a01872c0ff7a875b0caa6f18ff2e65989fc3362e551334f4aa2d76964cba5d3eeac956953aeb842e2a5dd43d194
-
Filesize
195KB
MD52881a0d92bd437761d71dffa395545c4
SHA151668272be0f6f2af5e5157d64e89004bc5d14e9
SHA25698aa8fe017e1f48073f8a9d7a888db1c66554e3bb267b807372e052c712d9a97
SHA5120a963d126cdb3e0a284af68c4f3ee20208f0662e6c516373409f6de16bdb4308f18d08bba1429d2d99d68517ca4ac95983f6ff979f8e143fab2ae47d477924b2