Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
-
Size
241KB
-
MD5
08d6a612caf1d5fb25258af7c6857fb0
-
SHA1
e9153f122e7d708d2513c1d8a6f0e4ee972e09f3
-
SHA256
5fea23e919d3ffa1fe5ca1ef80165f4d00e97e315098c8601f0b0ab8786bb327
-
SHA512
bf3b91eaca64871be8de66a1f8a7944d486112868e72235e265e6b4d98b8a41b48bec7c90a8c6b64c611cd58046da83c2288be9b171eae51357b0dffff8e4608
-
SSDEEP
3072:oNzztfivMVMYuFkV3qBnFqOLp4mvy2ACh3+j5z8UcTr/C:oVz8YurEmvy2AChozwPC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1876 winword.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICROSO~1\\winword.exe\" -vt yazb" winword.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe:bla NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4640 wrote to memory of 1876 4640 NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe 84 PID 4640 wrote to memory of 1876 4640 NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe 84 PID 4640 wrote to memory of 1876 4640 NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exeC:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe --ru -vt yazb2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD548e6383a33e2d57abc7191db048094d8
SHA186cf29ef6cb50c64ce8a3f499da1558cd5f4ed9f
SHA25691192cb6708da1b4029c6baa8fe966f649439d0f8ea12ef5c22d9e036e1d07a9
SHA512c734f61d09846dcfa57413d6ad37437b65f40f5f32d585a39ba482bf04208afa445e7b7748a8f4e5462887422b65e1d37ff42819ce6538cdbadfd6cb23a938d5
-
Filesize
241KB
MD548e6383a33e2d57abc7191db048094d8
SHA186cf29ef6cb50c64ce8a3f499da1558cd5f4ed9f
SHA25691192cb6708da1b4029c6baa8fe966f649439d0f8ea12ef5c22d9e036e1d07a9
SHA512c734f61d09846dcfa57413d6ad37437b65f40f5f32d585a39ba482bf04208afa445e7b7748a8f4e5462887422b65e1d37ff42819ce6538cdbadfd6cb23a938d5