Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
-
Size
34KB
-
MD5
e93e1dfb06e791938d6b2e090da85e60
-
SHA1
a4ec634d143d8a2a5c1bd1d2ec0f6269bab08b9f
-
SHA256
f6618ecceed655db5c80d702fe9511dbe206f981c8df937dc0f5f88893808e3e
-
SHA512
3fc8fe58e1f774cefe6b0ac13b3e658dad9e7df337bbf0625a98e1bbb55de6e62c663db505dba5aba53b1af380a22671cc5cb01b99566564493c9a0714f3931a
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qwmC:btB9g/WItCSsAGjX7r3BTwmC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation NEAS.e93e1dfb06e791938d6b2e090da85e60.exe -
Executes dropped EXE 1 IoCs
pid Process 4100 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4100 4080 NEAS.e93e1dfb06e791938d6b2e090da85e60.exe 89 PID 4080 wrote to memory of 4100 4080 NEAS.e93e1dfb06e791938d6b2e090da85e60.exe 89 PID 4080 wrote to memory of 4100 4080 NEAS.e93e1dfb06e791938d6b2e090da85e60.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
PID:4100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5da3494c3243b75033b2dd3b4007d4fbf
SHA1121fd6e133d86414ce701c952de39295c51cd21d
SHA256ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7
SHA5128aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113
-
Filesize
34KB
MD5da3494c3243b75033b2dd3b4007d4fbf
SHA1121fd6e133d86414ce701c952de39295c51cd21d
SHA256ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7
SHA5128aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113
-
Filesize
34KB
MD5da3494c3243b75033b2dd3b4007d4fbf
SHA1121fd6e133d86414ce701c952de39295c51cd21d
SHA256ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7
SHA5128aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113