Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 07:35
Behavioral task
behavioral1
Sample
NEAS.ac9958e4a582ae514e4487ec9d273350.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.ac9958e4a582ae514e4487ec9d273350.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.ac9958e4a582ae514e4487ec9d273350.exe
-
Size
228KB
-
MD5
ac9958e4a582ae514e4487ec9d273350
-
SHA1
a15765543d2c078975823fcebe88cd4b763ad76d
-
SHA256
8668458c8a828b9a801383c149582c15db640d4eb5df60702db207dd2de26f25
-
SHA512
aa512f6d6e898b7a28a5d4130efb3e8e9028dac9698b7b86b01fa0c72af399a10e0341c90123a9692b51dd22b7b2942692cd0b67d2640c4e9b508f7292dd57e8
-
SSDEEP
3072:tIgcTTjAq4wbnBjvxc8287Gw8OUtyjMhTdglu4SUvmre:teAq4wb97KyjsTGxvn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NEAS.ac9958e4a582ae514e4487ec9d273350.exe -
Executes dropped EXE 1 IoCs
pid Process 1776 taskserf.exe -
resource yara_rule behavioral2/memory/1672-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x000b000000022da9-5.dat upx behavioral2/files/0x000b000000022da9-9.dat upx behavioral2/files/0x000b000000022da9-10.dat upx behavioral2/memory/1672-11-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1776-12-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskserf.exe = "c:\\users\\admin\\appdata\\local\\temp\\taskserf.exe" NEAS.ac9958e4a582ae514e4487ec9d273350.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskserf.exe = "c:\\users\\admin\\appdata\\local\\temp\\taskserf.exe" NEAS.ac9958e4a582ae514e4487ec9d273350.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3844 1672 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1776 taskserf.exe 1776 taskserf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1672 NEAS.ac9958e4a582ae514e4487ec9d273350.exe 1776 taskserf.exe 1776 taskserf.exe 1776 taskserf.exe 1776 taskserf.exe 1776 taskserf.exe 1776 taskserf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1776 1672 NEAS.ac9958e4a582ae514e4487ec9d273350.exe 86 PID 1672 wrote to memory of 1776 1672 NEAS.ac9958e4a582ae514e4487ec9d273350.exe 86 PID 1672 wrote to memory of 1776 1672 NEAS.ac9958e4a582ae514e4487ec9d273350.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ac9958e4a582ae514e4487ec9d273350.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ac9958e4a582ae514e4487ec9d273350.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\appdata\local\temp\taskserf.exe"C:\Users\Admin\appdata\local\temp\taskserf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 9442⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1672 -ip 16721⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5981849d4393da63e630a6e25d018b2cd
SHA13cafa0473ac3edf3496644e89b6a8035a321f9ba
SHA2561b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a
SHA512df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300
-
Filesize
228KB
MD5981849d4393da63e630a6e25d018b2cd
SHA13cafa0473ac3edf3496644e89b6a8035a321f9ba
SHA2561b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a
SHA512df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300
-
Filesize
228KB
MD5981849d4393da63e630a6e25d018b2cd
SHA13cafa0473ac3edf3496644e89b6a8035a321f9ba
SHA2561b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a
SHA512df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300