Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.fa2f8...50.dll

windows7-x64

1

NEAS.fa2f8...50.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2023, 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.fa2f8ea0dface3b3e935b106edef4150.dll

  • Size

    3.5MB

  • MD5

    fa2f8ea0dface3b3e935b106edef4150

  • SHA1

    1944790945d8b7fee88d474404eb90b89d9384d6

  • SHA256

    7bfffae521bf579cd33463deb7e19ce83c69a5ab40bb71af96c3fe141c7b16fd

  • SHA512

    d0b3b0df5a5190444290b4e538546d01e7384d564bdd1aa86786f4f6b5ef759277627cb7ead3b79a9fd36b2c3c963aab7eb5b0c19378358fd09bb195dcd76827

  • SSDEEP

    49152:mMXEiGdi/R+kKp+6FlLlCYuJPA3LBuq8NBU8AxdwDHVfv9ytA8Wpl+SJ8lQqhq:aBp+gtlCRiSJ8

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops file in Windows directory 16 IoCs
  • Checks SCSI registry key(s) 3 TTPs 32 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\NEAS.fa2f8ea0dface3b3e935b106edef4150.dll
    1⤵
    • Modifies security service
    • Sets DLL path for service in the registry
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2552
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s wuauserv
    1⤵
    • Checks for any installed AV software in registry
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RGI39F7.tmp
    Filesize

    5KB

    MD5

    b1de769b1de88d3c15dde48343ea675f

    SHA1

    5c29acd5ded8ce153b10e6df356f7ca6af725c65

    SHA256

    59a9466ba020839c9b20d8f545920b9ec807a1c89f6895b0e78f0ca8a07bf989

    SHA512

    4dd8ea6901d51d7e9c2b4286241eccd9838a2f37cdc67db0c34069c1a06cd39160947f9c4c656c4ef7105f207ff28f0b01f55367c57eafff79c86d3a662fde1a

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\TMP43AB.tmp
    Filesize

    16KB

    MD5

    d410319561b5559e46f2d12a94a463f5

    SHA1

    6c5aed5986ecb1acda7c6b80cfd3d41cff7faf29

    SHA256

    7d33dcedb1aef041eaa4c7b1c6139843a3da71128382c93e9c516d625922d4b9

    SHA512

    6ae16b3a6a79a0f0fe308a49c8cae9603743343ca0c3afc635129c92f51958593f49a06df148cb5376cde403cf7ddc3fb29dfb1774182969c0d994dd2a29d725

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\sls.cab
    Filesize

    23KB

    MD5

    df05ac827e0d5ef261a0103db3d6b086

    SHA1

    ab26c67c4f72e4dffad5686e7f912773d6797cc9

    SHA256

    4156412f0ed20b33707572e12603468fd1844c89f66aaa9509f55b2dce540c72

    SHA512

    84255d98a249ab635f9b2eee382bbfe945edc09c3a63bef6dfb686061b20642861d6c26ba11e8a67eb1a9a956a2e2ec26dbd7ea93a9d34475f04f9a250fe6c90

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP54D4.tmp
    Filesize

    29KB

    MD5

    165979b7bfbfb10099f8f7f69c29c94d

    SHA1

    a37f36c61f8ba27705e9e6cfc10a39bb47c1a119

    SHA256

    bc0136b29983b6508f5d284dbb23891fbcfd170c12d115dcf8788034cff949b0

    SHA512

    31b8eddc93e25768718407a356aa51f15df10e61a5b5dc29bdd278fbeac2bbd23d7ac1199e4c04914b837bffa7052af0b564da666c05a9151efe922063454041

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\sls.cab
    Filesize

    37KB

    MD5

    c3b5852f73b43cf19dfd1da78886e128

    SHA1

    5e15062d33a677850f853dcecc5ff0fae92b3df8

    SHA256

    003978a8c3beeba597c4b3308049245618c83b498a399bdec022ed0b761a0abb

    SHA512

    d550cdb4e4cf1d81b3f96f9b28e42bffd6c7bea38faca738542f886a299d6af15ab61228a4caf9b4ac689b05c100e736b251dfbcc25f3274ab6f8107c8bfc3aa

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP5197.tmp
    Filesize

    25KB

    MD5

    b96f3c205fa38c44254b0ef5e46b6187

    SHA1

    939e293cc6d6ee47459a63e50aa95c4e0333b2de

    SHA256

    6f99bc79bc58acd3854ecd03fb7cc0b4bfa311197467407e397eb9511e506139

    SHA512

    f515cb0cd13081b5b7fa47977446696457aeaf8aa47982c7c421e8505f09e888e9f7a7e599e895d6d2f2183139b43e287cdee9b95bf6e86a401821b8ed937f75

    Download Submit

  • C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab
    Filesize

    35KB

    MD5

    5b903c1057d55077131c30b0d7fc5201

    SHA1

    cfe1b07a6620d84015a80cd3cdcffe33582a6b35

    SHA256

    b4290a223af42fd19d5fd94650a601204a09d4dd3bbf5f72a4ad4fba8192188b

    SHA512

    7b3934c8495d04be5f0a32cd0b3fb6db8196ab3a5c8adcd3f2ff18bccad9178023617d51a9258f0b5d1fa12c38fc14f840f40207e5b47e0e2e36a34903ee8387

    Download Submit

  • memory/5088-13-0x000002CCE5790000-0x000002CCE57A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-45-0x000002CCEAC30000-0x000002CCEAC34000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-46-0x000002CCEAC20000-0x000002CCEAC21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5088-42-0x000002CCEA980000-0x000002CCEA984000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-25-0x000002CCEA410000-0x000002CCEA414000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-19-0x000002CCE5D20000-0x000002CCE5D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-43-0x000002CCEA970000-0x000002CCEA971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5088-78-0x000002CCEC6F0000-0x000002CCEC6F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-79-0x000002CCEC6F0000-0x000002CCEC6F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-80-0x000002CCECFC0000-0x000002CCECFC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-81-0x000002CCECFC0000-0x000002CCECFC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-82-0x000002CCED030000-0x000002CCED034000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5088-83-0x000002CCED060000-0x000002CCED064000-memory.dmp

    Filesize

    16KB

    Download