Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.4545290d3484e3025debd0ee61610fd0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.4545290d3484e3025debd0ee61610fd0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.4545290d3484e3025debd0ee61610fd0.exe
-
Size
621KB
-
MD5
4545290d3484e3025debd0ee61610fd0
-
SHA1
7ae2e35894ef3f69f17b87f63e99ee4b06814a12
-
SHA256
8f3f46137a2d37c1a9ae39a06777e536aeb7fa2705c6100958dcc9fa914e4f65
-
SHA512
e22ef73665fe14f86f894295d04d7f7b8c215e7d62b7d6af483758a281430889ec51b1716dc8c3220368ad1ebb9d7e0353bf5ac988606fe4726299a13a472989
-
SSDEEP
12288:A4eH5HlYFGhgftuyFRWzRSxxtJlOT4udasHYz4P90Sj:A4enYF2gwlzRuzLO8sHY810Sj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1148 wrote to memory of 3228 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 89 PID 1148 wrote to memory of 3228 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 89 PID 1148 wrote to memory of 2060 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 90 PID 1148 wrote to memory of 2060 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 90 PID 1148 wrote to memory of 2080 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 91 PID 1148 wrote to memory of 2080 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 91 PID 1148 wrote to memory of 4708 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 92 PID 1148 wrote to memory of 4708 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 92 PID 4708 wrote to memory of 3600 4708 cmd.exe 94 PID 4708 wrote to memory of 3600 4708 cmd.exe 94 PID 4708 wrote to memory of 3092 4708 cmd.exe 96 PID 4708 wrote to memory of 3092 4708 cmd.exe 96 PID 4708 wrote to memory of 1844 4708 cmd.exe 95 PID 4708 wrote to memory of 1844 4708 cmd.exe 95 PID 1148 wrote to memory of 1468 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 97 PID 1148 wrote to memory of 1468 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 97 PID 1148 wrote to memory of 2764 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 98 PID 1148 wrote to memory of 2764 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 98 PID 1148 wrote to memory of 1964 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 99 PID 1148 wrote to memory of 1964 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 99 PID 1148 wrote to memory of 4808 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 100 PID 1148 wrote to memory of 4808 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 100 PID 1148 wrote to memory of 5020 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 101 PID 1148 wrote to memory of 5020 1148 NEAS.4545290d3484e3025debd0ee61610fd0.exe 101 PID 5020 wrote to memory of 3468 5020 cmd.exe 103 PID 5020 wrote to memory of 3468 5020 cmd.exe 103 PID 3468 wrote to memory of 3948 3468 msedge.exe 108 PID 3468 wrote to memory of 3948 3468 msedge.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe" MD53⤵PID:3600
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1844
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 92⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 92⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/subz2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/subz3⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9142346f8,0x7ff914234708,0x7ff9142347184⤵PID:3948
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307