Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.79a1b90431319340535a9f40dba9ef90.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.79a1b90431319340535a9f40dba9ef90.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.79a1b90431319340535a9f40dba9ef90.exe
-
Size
135KB
-
MD5
79a1b90431319340535a9f40dba9ef90
-
SHA1
5ffccde270c41685f714add89d5555ae88519aac
-
SHA256
84fd0df9d663923def1df601513a04eb15dcb2ff900da32848e2399f27a6a6b1
-
SHA512
ae0eec8f1fee12618eb71467fd7c5ffca5a62ab4a676836cfb22b83a25dc8e72c05da3dbcf342044adc1bccd10e646352f1f8201aa94d0fdb0e72ae16ee47796
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXH:UVqoCl/YgjxEufVU0TbTyDDalRH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4772 explorer.exe 1348 spoolsv.exe 2092 svchost.exe 4976 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe NEAS.79a1b90431319340535a9f40dba9ef90.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4772 explorer.exe 2092 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 4772 explorer.exe 4772 explorer.exe 1348 spoolsv.exe 1348 spoolsv.exe 2092 svchost.exe 2092 svchost.exe 4976 spoolsv.exe 4976 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3692 wrote to memory of 4772 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 96 PID 3692 wrote to memory of 4772 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 96 PID 3692 wrote to memory of 4772 3692 NEAS.79a1b90431319340535a9f40dba9ef90.exe 96 PID 4772 wrote to memory of 1348 4772 explorer.exe 97 PID 4772 wrote to memory of 1348 4772 explorer.exe 97 PID 4772 wrote to memory of 1348 4772 explorer.exe 97 PID 1348 wrote to memory of 2092 1348 spoolsv.exe 98 PID 1348 wrote to memory of 2092 1348 spoolsv.exe 98 PID 1348 wrote to memory of 2092 1348 spoolsv.exe 98 PID 2092 wrote to memory of 4976 2092 svchost.exe 99 PID 2092 wrote to memory of 4976 2092 svchost.exe 99 PID 2092 wrote to memory of 4976 2092 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.79a1b90431319340535a9f40dba9ef90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.79a1b90431319340535a9f40dba9ef90.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD57b977e8d9af088f5e6ac20fb4120a91c
SHA1a82378edc475dd6258a40a4de52640f8e69bb8ef
SHA25699298446873f7d7633749b37606b57137fd68be492f5896865aeff3c6bde06c0
SHA5125b8761b9f12ee05b350085951011b6e60994c0a51a21a1ea81f9aa0834418af3474285510af8f11b971ba0e88fd254e9ab423e7847815486e6e9d4e4b4dbf1a8
-
Filesize
135KB
MD5b3d941b0fae662c6f10b436798ccfaa4
SHA1494db5ccd2a239928c51b449cbdbb9c38cbf476e
SHA25646aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83
SHA5128e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4
-
Filesize
135KB
MD5b3d941b0fae662c6f10b436798ccfaa4
SHA1494db5ccd2a239928c51b449cbdbb9c38cbf476e
SHA25646aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83
SHA5128e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4
-
Filesize
135KB
MD5b3d941b0fae662c6f10b436798ccfaa4
SHA1494db5ccd2a239928c51b449cbdbb9c38cbf476e
SHA25646aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83
SHA5128e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4
-
Filesize
135KB
MD55b2d8044c4f6742c3b74ee071f055e1a
SHA1e4bf02f1b98c65ad9ac605bc336ac35826d2da3c
SHA2566aa0259be1f1422402cc03d22f8d092ee1db1755c78f66a407179988997852df
SHA512722dd0c3891bba76c0f20fe279eb352d83667aa649cd375d446ef3c55fe71844976e1bcb3d6696fd6d94240791d7e6e7064f2cc7a5485ed9cb2b7648ef6c70d3
-
Filesize
135KB
MD5b3d941b0fae662c6f10b436798ccfaa4
SHA1494db5ccd2a239928c51b449cbdbb9c38cbf476e
SHA25646aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83
SHA5128e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4
-
Filesize
135KB
MD55b2d8044c4f6742c3b74ee071f055e1a
SHA1e4bf02f1b98c65ad9ac605bc336ac35826d2da3c
SHA2566aa0259be1f1422402cc03d22f8d092ee1db1755c78f66a407179988997852df
SHA512722dd0c3891bba76c0f20fe279eb352d83667aa649cd375d446ef3c55fe71844976e1bcb3d6696fd6d94240791d7e6e7064f2cc7a5485ed9cb2b7648ef6c70d3
-
Filesize
135KB
MD57b977e8d9af088f5e6ac20fb4120a91c
SHA1a82378edc475dd6258a40a4de52640f8e69bb8ef
SHA25699298446873f7d7633749b37606b57137fd68be492f5896865aeff3c6bde06c0
SHA5125b8761b9f12ee05b350085951011b6e60994c0a51a21a1ea81f9aa0834418af3474285510af8f11b971ba0e88fd254e9ab423e7847815486e6e9d4e4b4dbf1a8