Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe
-
Size
332KB
-
MD5
e21d24ef2f1f4f30694143746ae3cb90
-
SHA1
301b05c4a4de626d498066cd9f717d5cb6e20329
-
SHA256
e6781cf12a18ccfc8df1c2f7e22b69fc1c827df6eabdbf6b51b6e5f5f7bccdc2
-
SHA512
eb5fdae7f78db18a94445f97d0af49c8c19c074c7aeb95b63df379cb8513a2894838cc0f5731e62a3447ba8098dfd3c70a068a20198542fb6dac3d5e0ca927ad
-
SSDEEP
6144:DmSHm8gnhTB0FbhqTALE0L+pz/TK6pBH3DH3B37TJ1QUCQh:DBG8ghTaFbkTW+11zTx3R1QUJ
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1432 dw20.exe Token: SeBackupPrivilege 1432 dw20.exe Token: SeBackupPrivilege 1432 dw20.exe Token: SeBackupPrivilege 1432 dw20.exe Token: SeBackupPrivilege 1432 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4344 wrote to memory of 1432 4344 NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe 97 PID 4344 wrote to memory of 1432 4344 NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe 97 PID 4344 wrote to memory of 1432 4344 NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e21d24ef2f1f4f30694143746ae3cb90.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8682⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1432
-