Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2023, 18:04

General

  • Target

    NEAS.29a98a2e7b592b81b1575da3f1450150.exe

  • Size

    473KB

  • MD5

    29a98a2e7b592b81b1575da3f1450150

  • SHA1

    abb5a5799db34a07d72ed67d17a2439712b3c257

  • SHA256

    8a3b0fadb3d29acc80da1aab63d7a8d966a0a30af1652578f37cabdbda619863

  • SHA512

    4a1f805e54f8f465991c82ecfb7f4961a1cf8fee30cf44cd3873ecb54b02abb57650430e559e33bf0f1841ab27c6f7002135b7d25325866105e82f82ba2d441e

  • SSDEEP

    1536:ur3Z5IfQmv81a1xyXHZ+NGQSLNmCm6oyz7jBd7qDmbNPMJAVC+++h:yJOfQm01mxyXHZKG7pm6j77Z

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.29a98a2e7b592b81b1575da3f1450150.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.29a98a2e7b592b81b1575da3f1450150.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\guehost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:3884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NEAS29~1.EXE > nul
      2⤵
        PID:1672
    • C:\Windows\Debug\guehost.exe
      C:\Windows\Debug\guehost.exe
      1⤵
      • Executes dropped EXE
      PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\guehost.exe

      Filesize

      473KB

      MD5

      f1bbe5695d0b23f1d11ac889fcc6eb90

      SHA1

      5933d5548a7709d05c64c3301221d5c465cd0e8c

      SHA256

      b72e64f82582035b9ba2ea5515af63bd4a848aee92e85760915d9a70db463f5d

      SHA512

      f082e2232e24ec51d4b64c2507c920952121c54600e7bdcd86966d784991cbba14fff7244fa3287fe003a2d6164dd0e248904d1e626e695d23ee136e27ff1143

    • C:\Windows\debug\guehost.exe

      Filesize

      473KB

      MD5

      f1bbe5695d0b23f1d11ac889fcc6eb90

      SHA1

      5933d5548a7709d05c64c3301221d5c465cd0e8c

      SHA256

      b72e64f82582035b9ba2ea5515af63bd4a848aee92e85760915d9a70db463f5d

      SHA512

      f082e2232e24ec51d4b64c2507c920952121c54600e7bdcd86966d784991cbba14fff7244fa3287fe003a2d6164dd0e248904d1e626e695d23ee136e27ff1143