Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.279fc...50.exe

windows7-x64

10

NEAS.279fc...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

  • Size

    458KB

  • MD5

    279fca2fb9903b7be96c3cadc7ef3a50

  • SHA1

    e169f06c121656afcd28fbe0f90cd4565fc31c27

  • SHA256

    f2a3a9f378db287bdd6aeb8c68e8e6dbb4c544d01a7e48ce58f4c9f29b5e4b7b

  • SHA512

    c500b449dee51f63d1fe621987e4bd69e0e6718f07ede27ec13f1d562719819b4f5d58ed6be6c8ee2e2a4e2d0a86b9e0464c9d3c592933d3e83f61eb892654df

  • SSDEEP

    6144:/pW2bgbbV28okoS1oWMkdlZQ5iioct0IwdNOuLcktJFksISWmSILKxrj:/pW2IoioS6jsk

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:4776
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.bak
    Filesize

    458KB

    MD5

    38112246f923effc0248089d1526aeca

    SHA1

    362d3ce055c040355b51e42a0da0e54b3aac9a69

    SHA256

    21025a54f6b2afd3abc7cd18b819ed48823fc33ef7c20f22b568e8d0af7811ac

    SHA512

    b71c7208d8bf5f27264698caa79aaff1434fdd6d3bf534557ce91dee12fc7e5d150aa9c759b56bdb9420ef3f044e5fd3a10e7845868b14aeaa051d2713f16629

    Download Submit

  • memory/4264-0-0x0000021C9A0A0000-0x0000021C9A0C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4264-1-0x00007FFE80610000-0x00007FFE810D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4264-2-0x00007FFE80610000-0x00007FFE810D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4264-3-0x0000021CB46A0000-0x0000021CB46B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4264-4-0x0000021CB46A0000-0x0000021CB46B0000-memory.dmp

    Filesize

    64KB

    Download