Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 14:16
Behavioral task
behavioral1
Sample
NEAS.9401ca50afc559a747420dacb98f4530.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.9401ca50afc559a747420dacb98f4530.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.9401ca50afc559a747420dacb98f4530.exe
-
Size
41KB
-
MD5
9401ca50afc559a747420dacb98f4530
-
SHA1
d4a8290b2add0c05a262d36612bf2ffd63ec5e1d
-
SHA256
65a9b07deb28170148ff1ce7dd9c6548638423df3620c9b753becf68e842cd35
-
SHA512
1411dfe75c60d9c3065fd4f13949bd07a54b0676496b81015a91a4758e5627b0a74191f6d84750eb70122570515224e4ec1b5dadb9d25fef3db244c86c1bb574
-
SSDEEP
384:DBXkocaoPBX5Yq5aN6i/U6eeQ+vubblOsqPEqXKtkSCb2:DKPPQYaN67EWbQsgNW5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9401ca50afc559a747420dacb98f4530.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 hromi.exe -
resource yara_rule behavioral2/memory/2556-0-0x0000000000400000-0x00000000004092E7-memory.dmp upx behavioral2/memory/2556-1-0x0000000000400000-0x00000000004092E7-memory.dmp upx behavioral2/files/0x0006000000022df7-6.dat upx behavioral2/files/0x0006000000022df7-8.dat upx behavioral2/files/0x0006000000022df7-9.dat upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2744 2556 NEAS.9401ca50afc559a747420dacb98f4530.exe 91 PID 2556 wrote to memory of 2744 2556 NEAS.9401ca50afc559a747420dacb98f4530.exe 91 PID 2556 wrote to memory of 2744 2556 NEAS.9401ca50afc559a747420dacb98f4530.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9401ca50afc559a747420dacb98f4530.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9401ca50afc559a747420dacb98f4530.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\hromi.exe"C:\Users\Admin\AppData\Local\Temp\hromi.exe"2⤵
- Executes dropped EXE
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5fa489533860bb710f5cdaa2d38baad06
SHA1a4e73b62f93188af305daf2bd7b59a5f23cf3843
SHA256e12df5fcf5f9de4f538a1df51702e1a5b43675363e4fbeceba98705dee4d448d
SHA512a2375e0871ccd88f03dc0e37093fcab138d7667d75462ff42c5db06d87cb405184668e25742e954614081af81b1c817f4ae93393156eb2fb4ff9fc6ca2c55697
-
Filesize
41KB
MD5fa489533860bb710f5cdaa2d38baad06
SHA1a4e73b62f93188af305daf2bd7b59a5f23cf3843
SHA256e12df5fcf5f9de4f538a1df51702e1a5b43675363e4fbeceba98705dee4d448d
SHA512a2375e0871ccd88f03dc0e37093fcab138d7667d75462ff42c5db06d87cb405184668e25742e954614081af81b1c817f4ae93393156eb2fb4ff9fc6ca2c55697
-
Filesize
41KB
MD5fa489533860bb710f5cdaa2d38baad06
SHA1a4e73b62f93188af305daf2bd7b59a5f23cf3843
SHA256e12df5fcf5f9de4f538a1df51702e1a5b43675363e4fbeceba98705dee4d448d
SHA512a2375e0871ccd88f03dc0e37093fcab138d7667d75462ff42c5db06d87cb405184668e25742e954614081af81b1c817f4ae93393156eb2fb4ff9fc6ca2c55697