Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 21:12
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.6fbb9f08304493011c5f575281a17200.exe
Resource
win7-20231020-en
General
-
Target
NEAS.6fbb9f08304493011c5f575281a17200.exe
-
Size
77KB
-
MD5
6fbb9f08304493011c5f575281a17200
-
SHA1
bcb7cdfd873dec0827f9436cfeb9e21e8af69468
-
SHA256
b495a933d917284d9f35f1a013d9717c20a55bcea142ae03de6790071f0ea3d4
-
SHA512
92d59a578e3846c8db686ab07f76c575916fddbe978428b51d8c199b271a7c289a703d1b1a0ed3e94b6316c75fc50b57c71eb0d788fa55ef6aa10dcb978395b4
-
SSDEEP
1536:zxKyhnAUfUiZR9G84qk+Be/HZ17hmZp2t:zLCEZTGx518E
Malware Config
Extracted
urelas
218.54.28.139
121.88.5.183
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.6fbb9f08304493011c5f575281a17200.exe -
Executes dropped EXE 1 IoCs
pid Process 4012 poldge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4060 wrote to memory of 4012 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 93 PID 4060 wrote to memory of 4012 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 93 PID 4060 wrote to memory of 4012 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 93 PID 4060 wrote to memory of 4760 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 94 PID 4060 wrote to memory of 4760 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 94 PID 4060 wrote to memory of 4760 4060 NEAS.6fbb9f08304493011c5f575281a17200.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\poldge.exe"C:\Users\Admin\AppData\Local\Temp\poldge.exe"2⤵
- Executes dropped EXE
PID:4012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5af6f90fee60d60070d9076eba7533c76
SHA1015da84cb0cfce8699e8b1937dfac54a15e7e792
SHA25614360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687
SHA51253ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc
-
Filesize
78KB
MD55f93059a2380f17d28bbf3c259b4168d
SHA1ccab05081be2960c26825ff94d683d84a12bcc1b
SHA25614ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca
SHA512de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13
-
Filesize
78KB
MD55f93059a2380f17d28bbf3c259b4168d
SHA1ccab05081be2960c26825ff94d683d84a12bcc1b
SHA25614ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca
SHA512de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13
-
Filesize
78KB
MD55f93059a2380f17d28bbf3c259b4168d
SHA1ccab05081be2960c26825ff94d683d84a12bcc1b
SHA25614ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca
SHA512de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13
-
Filesize
284B
MD5253b224b4b890a6141588c3af279b4cd
SHA12b03fb0f093da8899a4792dec24524d6ef48d47c
SHA2567a32edda7451cca0ead58782ed1938581f697044c3b920edd631e8c3ec96dc83
SHA512359bcdb083bfbe4ff4a47be406fc6ba6c9e36e452e646d4b4783ecb327fc1c8599ca44e0b33ce054a5b3f5f5c92d61e6f944479c9e3965b3ac4e5558fa0afcc3