Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:45
Behavioral task
behavioral1
Sample
NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe
-
Size
308KB
-
MD5
7d1f8be5694ddb81c2b1681b44c996e0
-
SHA1
76e5ac30ae7962c76795d517dcb34327e65e04ed
-
SHA256
37e40b732239b322fd186e507776d21ef55a18ce71e8eaebc86d7ab30ee36ce6
-
SHA512
4512705c1f251e94ec7d040a826a51c4d0c133c0677918a17bf6f8f3086921aa561673d8eb46881a14037a040dccf143defa19b8f6b21aef122fae1cd1c5dd8c
-
SSDEEP
1536:l2eDy4RZvZZqQKOsssssssswJEYw04IIssssssssssUwcrgZQwMEoIQssos4ssoK:T7HZZqZ//gl
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1576 2872 WerFault.exe 7 -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2908 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2908 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 28 PID 2872 wrote to memory of 2908 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 28 PID 2872 wrote to memory of 2908 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 28 PID 2872 wrote to memory of 2908 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 28 PID 2872 wrote to memory of 1576 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 29 PID 2872 wrote to memory of 1576 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 29 PID 2872 wrote to memory of 1576 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 29 PID 2872 wrote to memory of 1576 2872 NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\isaacv1.7.8a.0000-20220808-203734-24520-3656.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 9282⤵
- Program crash
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD59b407459c2b71bb02a0f58bd5c06a4e3
SHA1d0e86b447cd253e758471c0f15969bd2af667593
SHA25675ea4bab903818d31a4bf50167c0bedc46da8c9873dca94adeeabe9b1327ea98
SHA512aad0c61d1667e131907c0ce4aa6e4c40bc6970c13ba2bc587d5cc84d35156afdc313f58a8cc7cbeccf63209c92ce44eb34a5f4f3437ddac8a05a9200fb6d1107