Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    169s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2023, 14:11

General

  • Target

    NEAS.4a635c77d44a596ef0b5c0e38c05d9c0.exe

  • Size

    204KB

  • MD5

    4a635c77d44a596ef0b5c0e38c05d9c0

  • SHA1

    20515e905b52ea2021e3e43aa7fb4801e480e57e

  • SHA256

    2c19efe945a9b183be41c2db5b883cae7156fe01a37376305f47bc5af299fb79

  • SHA512

    8fc31cb56602adc80ef0a575fe20ee27756a6824a64aad155a05d071a2f24d30516138600e82a8175434aed8d99d2af0861d97edc9e1794ff75967b6e54f6f1e

  • SSDEEP

    3072:QmRW8MDaO0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWr5:rAFmO4QxL7B9W0c1RCzR/fSmlY

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.4a635c77d44a596ef0b5c0e38c05d9c0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.4a635c77d44a596ef0b5c0e38c05d9c0.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\cotaw.exe
      "C:\Users\Admin\cotaw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cotaw.exe

    Filesize

    204KB

    MD5

    b2140d2d162983ea9ca6f957e861b12e

    SHA1

    9697f46a09f357895fee642699e14b0ccb562891

    SHA256

    5b31a9f91740260ba2e96bd54507cb02872cf7c70991379503567a90e117260f

    SHA512

    e4be02838d746d7ff9ce8695d02da42b36ef64ac985db94af14587a0a7b7d368699272088d46687570aad0c3bdd4346f13c64e5d1874952b50454eab1f70c86b

  • C:\Users\Admin\cotaw.exe

    Filesize

    204KB

    MD5

    b2140d2d162983ea9ca6f957e861b12e

    SHA1

    9697f46a09f357895fee642699e14b0ccb562891

    SHA256

    5b31a9f91740260ba2e96bd54507cb02872cf7c70991379503567a90e117260f

    SHA512

    e4be02838d746d7ff9ce8695d02da42b36ef64ac985db94af14587a0a7b7d368699272088d46687570aad0c3bdd4346f13c64e5d1874952b50454eab1f70c86b

  • C:\Users\Admin\cotaw.exe

    Filesize

    204KB

    MD5

    b2140d2d162983ea9ca6f957e861b12e

    SHA1

    9697f46a09f357895fee642699e14b0ccb562891

    SHA256

    5b31a9f91740260ba2e96bd54507cb02872cf7c70991379503567a90e117260f

    SHA512

    e4be02838d746d7ff9ce8695d02da42b36ef64ac985db94af14587a0a7b7d368699272088d46687570aad0c3bdd4346f13c64e5d1874952b50454eab1f70c86b