Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 07:35

General

  • Target

    NEAS.ac9958e4a582ae514e4487ec9d273350.exe

  • Size

    228KB

  • MD5

    ac9958e4a582ae514e4487ec9d273350

  • SHA1

    a15765543d2c078975823fcebe88cd4b763ad76d

  • SHA256

    8668458c8a828b9a801383c149582c15db640d4eb5df60702db207dd2de26f25

  • SHA512

    aa512f6d6e898b7a28a5d4130efb3e8e9028dac9698b7b86b01fa0c72af399a10e0341c90123a9692b51dd22b7b2942692cd0b67d2640c4e9b508f7292dd57e8

  • SSDEEP

    3072:tIgcTTjAq4wbnBjvxc8287Gw8OUtyjMhTdglu4SUvmre:teAq4wb97KyjsTGxvn

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ac9958e4a582ae514e4487ec9d273350.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ac9958e4a582ae514e4487ec9d273350.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\appdata\local\temp\taskserf.exe
      "C:\Users\Admin\appdata\local\temp\taskserf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 944
      2⤵
      • Program crash
      PID:3844
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1672 -ip 1672
    1⤵
      PID:448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\taskserf.exe

      Filesize

      228KB

      MD5

      981849d4393da63e630a6e25d018b2cd

      SHA1

      3cafa0473ac3edf3496644e89b6a8035a321f9ba

      SHA256

      1b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a

      SHA512

      df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300

    • C:\Users\Admin\AppData\Local\Temp\taskserf.exe

      Filesize

      228KB

      MD5

      981849d4393da63e630a6e25d018b2cd

      SHA1

      3cafa0473ac3edf3496644e89b6a8035a321f9ba

      SHA256

      1b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a

      SHA512

      df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300

    • C:\Users\Admin\appdata\local\temp\taskserf.exe

      Filesize

      228KB

      MD5

      981849d4393da63e630a6e25d018b2cd

      SHA1

      3cafa0473ac3edf3496644e89b6a8035a321f9ba

      SHA256

      1b9bed4ab3e463579e80e019102705289bb6e61d7e9c7b14aadf9d41d6688a5a

      SHA512

      df8b2e8a5904d5bcc74080d014a6c743e5ce6df32c9accb1ab51f1f33a52de7016397c341d17a35d2ea9739c35b0320965e38e8a31e8943b74aa7795a6441300

    • memory/1672-0-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1672-11-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1776-12-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB