Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe
-
Size
216KB
-
MD5
914bc1a57dedeb6c4c28365b41b4c260
-
SHA1
f6bb527f8862fda30bb36b1f3f0125ade1536a6e
-
SHA256
1cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
-
SHA512
08dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da
-
SSDEEP
3072:SPUHpiKT2t2UHIu05W7SAFJJOUD9cckiKop97f3r8n9t9YgntwZ:/rTfUHeeSKOS9ccFKk3Y9t9YZZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2652 Isass.exe -
Loads dropped DLL 2 IoCs
pid Process 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 2652 Isass.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2652 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 28 PID 2620 wrote to memory of 2652 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 28 PID 2620 wrote to memory of 2652 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 28 PID 2620 wrote to memory of 2652 2620 NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.914bc1a57dedeb6c4c28365b41b4c260.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5914bc1a57dedeb6c4c28365b41b4c260
SHA1f6bb527f8862fda30bb36b1f3f0125ade1536a6e
SHA2561cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
SHA51208dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da
-
Filesize
216KB
MD5914bc1a57dedeb6c4c28365b41b4c260
SHA1f6bb527f8862fda30bb36b1f3f0125ade1536a6e
SHA2561cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
SHA51208dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da
-
Filesize
216KB
MD5914bc1a57dedeb6c4c28365b41b4c260
SHA1f6bb527f8862fda30bb36b1f3f0125ade1536a6e
SHA2561cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
SHA51208dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da
-
Filesize
216KB
MD5914bc1a57dedeb6c4c28365b41b4c260
SHA1f6bb527f8862fda30bb36b1f3f0125ade1536a6e
SHA2561cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
SHA51208dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da
-
Filesize
216KB
MD5914bc1a57dedeb6c4c28365b41b4c260
SHA1f6bb527f8862fda30bb36b1f3f0125ade1536a6e
SHA2561cc59b4142e6aba697b6416db732ede7f87c1bb76444307b2e0ee4c5af0d598a
SHA51208dcea76115ee2f934283225f51bcaf50b5540bd15b5564197c28b2307f143b8b9cb7c0945904718c29b0585c2afc2f0b2aa8216629ac9dde187edeb115506da