Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
-
Size
4.0MB
-
MD5
1efc0e1d03c7c7c3783aa5d49679a810
-
SHA1
2288313b7c092a0561cd788b64fd6a7c12a38288
-
SHA256
c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d
-
SHA512
39d75ec31cdf87ce402e72ee057cc5dba36f0a2a1e080063c67886f4a423e14c5f3dd8d3d5e32c1b476a60a4a3360cca74343de49577ce75064653499ac19526
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe -
Executes dropped EXE 2 IoCs
pid Process 4892 sysdevbod.exe 5024 adobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCO\\adobloc.exe" NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid14\\dobaloc.exe" NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe 4892 sysdevbod.exe 4892 sysdevbod.exe 5024 adobloc.exe 5024 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2628 wrote to memory of 4892 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 91 PID 2628 wrote to memory of 4892 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 91 PID 2628 wrote to memory of 4892 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 91 PID 2628 wrote to memory of 5024 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 92 PID 2628 wrote to memory of 5024 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 92 PID 2628 wrote to memory of 5024 2628 NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4892
-
-
C:\IntelprocCO\adobloc.exeC:\IntelprocCO\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1006KB
MD5dbfb0d56f4fb3b7aa519d2d66768cfc7
SHA1324adb53ad7f4a3ec3a6ab4ccaf24150dfabc644
SHA2564bc60f790de21f1acd38e5182cd6dd456327c96b42f5b80451e3040275f11b38
SHA5128e8213ef829a8dd624d4563b4da73b4fa9bbb86610eb646c1ba193021a879a086532f57aecbca9dc23d948d646416fab41c1a7610a4c3e01bdbc9a0ca65fce01
-
Filesize
4.0MB
MD52d3a4f6cdaffd90995e45ab532a4b04d
SHA1ffa9a86e20092fff6379df2e0763bbda2c9eb80c
SHA2569dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada
SHA5127e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269
-
Filesize
4.0MB
MD52d3a4f6cdaffd90995e45ab532a4b04d
SHA1ffa9a86e20092fff6379df2e0763bbda2c9eb80c
SHA2569dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada
SHA5127e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269
-
Filesize
4.0MB
MD52d3a4f6cdaffd90995e45ab532a4b04d
SHA1ffa9a86e20092fff6379df2e0763bbda2c9eb80c
SHA2569dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada
SHA5127e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269
-
Filesize
205B
MD528073a80e5e64503658f69177830fd9e
SHA19383996b85257584c12426088069d2314c827867
SHA2569ae6b9394e23345ea8690a671508e3e2e2d1fb72c1a1c0b7d0c3e25ea3f621c5
SHA512fd1265ec210d3373b12c5e036dd85d0393d5404a7550c7423270c18f7d6d6e282a39ddfa10bf5522a147f47c4783ba02fb8ae74c823ba02d82437af23b66d60e
-
Filesize
173B
MD5fe896f77209cd3881c902ed5bd7f530b
SHA193d098b5dae45b2baa10a54aa1069f4200884ab5
SHA2568f362fc9f20713566b7025381f9532bc4ed99ff83434784ca7e251322ecb8a9a
SHA512cde0643473a7d73b642185a48a00175933c5aac6ad52ab5cab45e40207b31480e06c0e33810091242dc12100d80d083789ad154b20b156ed5ec426be38ef2086
-
Filesize
4.0MB
MD5b6876319ac5a3f24c6163b7b476ac339
SHA1f990990d8620bb47adf6dafef76cbe8310a1f0d8
SHA2563f9a457c94ae30cf8b66ef0db282f19f6c6527e2bda9dcafbba9c03a31ae1b65
SHA5122c3b5f4a5c5e5eced3d1d49463ea3be63466ef0d510b4ed9b2cd3428003f034b5c351c16faa27fddbf0e15fd8f20635289468f4c0166ad6200e5a33d0318c0ff
-
Filesize
4.0MB
MD5b6876319ac5a3f24c6163b7b476ac339
SHA1f990990d8620bb47adf6dafef76cbe8310a1f0d8
SHA2563f9a457c94ae30cf8b66ef0db282f19f6c6527e2bda9dcafbba9c03a31ae1b65
SHA5122c3b5f4a5c5e5eced3d1d49463ea3be63466ef0d510b4ed9b2cd3428003f034b5c351c16faa27fddbf0e15fd8f20635289468f4c0166ad6200e5a33d0318c0ff
-
Filesize
414KB
MD5d0a2b11d8a5a60062e76de0457b14526
SHA1585b1db84b84acd3cf2f9db99e16100fda1d334e
SHA256d75ad72eefd3cd9be65ffeb4ffbb74d7a2f197fcf6ec7a0ec9708c57bab55f36
SHA512513a39e758cfd00f6fabfe925713fac7e66a6e02b4f37241c7709d954d32e017a07026068d0696b5fc02481cd1dd2309377990da81ffb3b3e0708fef0fcf4997
-
Filesize
8KB
MD51c31992317278cbfbb062cd4732b9020
SHA1b2953bc21d0bbd03b25aba4e7b3d56cc63708195
SHA2560b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0
SHA512a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb