Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
-
Size
484KB
-
MD5
ab7b1cae52fd4459dbcb7597e6311600
-
SHA1
4d57b4c6f09b9251667aaf0716593a6907f964ef
-
SHA256
05315f6abdc85fa17ff3d20a11ab3cfc2c5c7f026439805e77a89b90d730e6ae
-
SHA512
71fa98b3a02711c99e5e96300ce02eadf9ec71e9509c1bb1a111ed5a143a8227181131f353456c3fb3b408354bceae70cae8541ee29d6cc2d60dfcc54caca019
-
SSDEEP
6144:NLTtdYsiZsWnpAwCKCFzEGfuXLZ9U+PhOMUjq+FhBN89psPv0lfWXHIH2pjo132Z:NLPkCDt1EG2XVekhdeTlYeXZjRX4
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3240 expailes.exe 4032 ARPdiag.exe 4828 ~653D.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gameance = "C:\\Users\\Admin\\AppData\\Roaming\\RoboHost\\expailes.exe" NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ARPdiag.exe NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4880 1772 WerFault.exe 86 3248 1772 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3240 expailes.exe 3240 expailes.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 3288 Explorer.EXE 4032 ARPdiag.exe 4032 ARPdiag.exe 3288 Explorer.EXE 3288 Explorer.EXE 3288 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3288 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3240 expailes.exe Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3288 Explorer.EXE 3288 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3288 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1772 wrote to memory of 3240 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 92 PID 1772 wrote to memory of 3240 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 92 PID 1772 wrote to memory of 3240 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 92 PID 3240 wrote to memory of 4828 3240 expailes.exe 94 PID 3240 wrote to memory of 4828 3240 expailes.exe 94 PID 4828 wrote to memory of 3288 4828 ~653D.tmp 24 PID 1772 wrote to memory of 3248 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 97 PID 1772 wrote to memory of 3248 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 97 PID 1772 wrote to memory of 3248 1772 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\RoboHost\expailes.exe"C:\Users\Admin\AppData\Roaming\RoboHost"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\~653D.tmp3288 495624 3240 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 6083⤵
- Program crash
PID:4880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 6083⤵
- Program crash
PID:3248
-
-
-
C:\Windows\SysWOW64\ARPdiag.exeC:\Windows\SysWOW64\ARPdiag.exe -s1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1772 -ip 17721⤵PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
484KB
MD58201f190c61e2ce01d2a0ab7c37a0e12
SHA189f9410e80d47a1c40b39c25ae6d98e77f7291eb
SHA2567c0d9eb9001d87e262c2c8972bc87e1dc97d754d2bb7df9e8e63121344ffddec
SHA5126f9262149648d69d3fd2e46cf6cb2e61d7399516ea396d8192b04917a7e2822717817b8ab660e5ef426e38024aabf87c92a187c31bd305b2799e77d57ff749ce
-
Filesize
484KB
MD58201f190c61e2ce01d2a0ab7c37a0e12
SHA189f9410e80d47a1c40b39c25ae6d98e77f7291eb
SHA2567c0d9eb9001d87e262c2c8972bc87e1dc97d754d2bb7df9e8e63121344ffddec
SHA5126f9262149648d69d3fd2e46cf6cb2e61d7399516ea396d8192b04917a7e2822717817b8ab660e5ef426e38024aabf87c92a187c31bd305b2799e77d57ff749ce
-
Filesize
484KB
MD58201f190c61e2ce01d2a0ab7c37a0e12
SHA189f9410e80d47a1c40b39c25ae6d98e77f7291eb
SHA2567c0d9eb9001d87e262c2c8972bc87e1dc97d754d2bb7df9e8e63121344ffddec
SHA5126f9262149648d69d3fd2e46cf6cb2e61d7399516ea396d8192b04917a7e2822717817b8ab660e5ef426e38024aabf87c92a187c31bd305b2799e77d57ff749ce
-
Filesize
484KB
MD58201f190c61e2ce01d2a0ab7c37a0e12
SHA189f9410e80d47a1c40b39c25ae6d98e77f7291eb
SHA2567c0d9eb9001d87e262c2c8972bc87e1dc97d754d2bb7df9e8e63121344ffddec
SHA5126f9262149648d69d3fd2e46cf6cb2e61d7399516ea396d8192b04917a7e2822717817b8ab660e5ef426e38024aabf87c92a187c31bd305b2799e77d57ff749ce