Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1e835ba7ad110ecf49806efc820067a0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.1e835ba7ad110ecf49806efc820067a0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.1e835ba7ad110ecf49806efc820067a0.exe
-
Size
887KB
-
MD5
1e835ba7ad110ecf49806efc820067a0
-
SHA1
b6940c36c46b058737709694c22bdc2915d95290
-
SHA256
492f534c424a9ae061a87decbfc36f98cbc78c86a0eedf34783dab5bd5dc3c0f
-
SHA512
f4e32e991fb1fbd2dea275830ff96e7a245fd9c1f7c60a619e3b8d21f3d6a679388be4e991d1ffa003549d7b270d45997e116666d8369cef8cb3b4e6d8ef72b9
-
SSDEEP
6144:nSsGF15F2SA+THG3uEagqzgNTZy8o/Ltzzq/MMPwABbxxJa/YESN:nJGFR2/+SeEagxdZkGPjVDa/ZSN
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1516 NEAS.1e835ba7ad110ecf49806efc820067a0.exe -
Executes dropped EXE 1 IoCs
pid Process 1516 NEAS.1e835ba7ad110ecf49806efc820067a0.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4460 4004 WerFault.exe 88 100 1516 WerFault.exe 96 3088 1516 WerFault.exe 96 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4004 NEAS.1e835ba7ad110ecf49806efc820067a0.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1516 NEAS.1e835ba7ad110ecf49806efc820067a0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4004 wrote to memory of 1516 4004 NEAS.1e835ba7ad110ecf49806efc820067a0.exe 96 PID 4004 wrote to memory of 1516 4004 NEAS.1e835ba7ad110ecf49806efc820067a0.exe 96 PID 4004 wrote to memory of 1516 4004 NEAS.1e835ba7ad110ecf49806efc820067a0.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1e835ba7ad110ecf49806efc820067a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1e835ba7ad110ecf49806efc820067a0.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 3442⤵
- Program crash
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1e835ba7ad110ecf49806efc820067a0.exeC:\Users\Admin\AppData\Local\Temp\NEAS.1e835ba7ad110ecf49806efc820067a0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 3443⤵
- Program crash
PID:100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 3643⤵
- Program crash
PID:3088
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 40041⤵PID:3648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1516 -ip 15161⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1516 -ip 15161⤵PID:4052
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
887KB
MD5ae35a226912f08bac97da9ab9e10ffa5
SHA1c4f971dfe3865311f85faa365ee4ec8758632180
SHA25608f20ffc2d489048061c4a60217a8125690502c174ae8f49e2c628475820fcfa
SHA5128ae33325a7c0a9ee3fbf4fd288f2c7f1fc32fd7ec74b801a0b1235c80ff256b3b02adbf6f13e09a0b35c2e1298d198cae2c9a0439e49f0e638d2e8ff4179046e