Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.f1d8a...80.exe

windows7-x64

10

NEAS.f1d8a...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2023, 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

  • Size

    474KB

  • MD5

    f1d8af84a0692c2b41a3f1781accf580

  • SHA1

    a7bca1d8e2ee512e331f96efa7c2e305f5e470b3

  • SHA256

    f12bf1acd8cc8f9c4397be6836104bcea66e5f9f9caaf3d3a0b63e5751aa7b99

  • SHA512

    28d5eeb5a9d719a86545fb0ae040494be4b1501dce060202937d1167123163fc7a3205e4e9debe1de5ce8030029e540d161f5d34d88aaed9cc852cc5739955a8

  • SSDEEP

    6144:pjFRiOcXH6XWD0w1tizmtnktLJ6znvxNcCI+1jDIlnJ9+1aTEPTnOK4JKEl5:nRDc3yWDNU+YUznzNjElWaT07NQt5

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f1d8af84a0692c2b41a3f1781accf580.exe"
    1⤵
    • Modifies firewall policy service
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:4756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\msrpc.exe
    Filesize

    474KB

    MD5

    0dbe32d55d87e12fd7360a4089aa73d0

    SHA1

    f720976a0f3dc99e133f5f641a9e0a7759942af4

    SHA256

    9732e6a7077298952bc68634092d22809d05d28bda7dfd5967b2156664feb7ab

    SHA512

    a8339283a4ffe0a69cc14f1fb97dc50e2a05877ff0ae700b342a73c19f615b53930f14f26f94364b37a69bb2c070b3d5c8610e33b011d4ee7d86d78acccefaf6

    Download Submit

  • memory/4756-0-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4756-1-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-2-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4756-20-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-21-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-22-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-23-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-24-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-25-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-26-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4756-27-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download