Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 08:34
Behavioral task
behavioral1
Sample
NEAS.de9253f555e75191219e85c4244e2410.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.de9253f555e75191219e85c4244e2410.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.de9253f555e75191219e85c4244e2410.exe
-
Size
49KB
-
MD5
de9253f555e75191219e85c4244e2410
-
SHA1
4db3b40a38706b6c872070c76d2372083c415e00
-
SHA256
9075e6b60d36800b0247526677cf920490ce21ef0b8e8667920153ff3b076175
-
SHA512
96bf9035e00b9bb00d6c5faf9349b3cd0cc715090b5fec931d635814bb1f8c126765c41c25576ab483db022a4cf4908f7a673b600649f810d17c1b2501aeedef
-
SSDEEP
768:fIj4bdHPqYKS1/US6GPQPFAiRAck1nEszc:w4hHCdqcS6JAH+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.de9253f555e75191219e85c4244e2410.exe -
Executes dropped EXE 1 IoCs
pid Process 4908 updtool.exe -
resource yara_rule behavioral2/memory/4848-0-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/4848-1-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/4848-4-0x0000000004000000-0x0000000004005000-memory.dmp upx behavioral2/files/0x000a000000022d09-10.dat upx behavioral2/files/0x000a000000022d09-12.dat upx behavioral2/files/0x000a000000022d09-13.dat upx behavioral2/memory/4848-16-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/4908-17-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4908 4848 NEAS.de9253f555e75191219e85c4244e2410.exe 97 PID 4848 wrote to memory of 4908 4848 NEAS.de9253f555e75191219e85c4244e2410.exe 97 PID 4848 wrote to memory of 4908 4848 NEAS.de9253f555e75191219e85c4244e2410.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.de9253f555e75191219e85c4244e2410.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.de9253f555e75191219e85c4244e2410.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\updtool.exe"C:\Users\Admin\AppData\Local\Temp\updtool.exe"2⤵
- Executes dropped EXE
PID:4908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD522f23008a87bd0224706497444a0d50c
SHA1f1324b67bcd0a0abe5a5c842cb3f7f36d891bf17
SHA2562411b9ce369ffe14cb79bbab025062024c7c38d20442d2e1ef0e0f9ea3d1295d
SHA51230f908d89bef1943b2d2aef3366b057b5d856fc2096d8f51792b198b58667286189f92856ba94515645fd825bd828405e37273be1c3b1edee229ea4cf2092d19
-
Filesize
49KB
MD522f23008a87bd0224706497444a0d50c
SHA1f1324b67bcd0a0abe5a5c842cb3f7f36d891bf17
SHA2562411b9ce369ffe14cb79bbab025062024c7c38d20442d2e1ef0e0f9ea3d1295d
SHA51230f908d89bef1943b2d2aef3366b057b5d856fc2096d8f51792b198b58667286189f92856ba94515645fd825bd828405e37273be1c3b1edee229ea4cf2092d19
-
Filesize
49KB
MD522f23008a87bd0224706497444a0d50c
SHA1f1324b67bcd0a0abe5a5c842cb3f7f36d891bf17
SHA2562411b9ce369ffe14cb79bbab025062024c7c38d20442d2e1ef0e0f9ea3d1295d
SHA51230f908d89bef1943b2d2aef3366b057b5d856fc2096d8f51792b198b58667286189f92856ba94515645fd825bd828405e37273be1c3b1edee229ea4cf2092d19