Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe
Resource
win7-20231023-en
General
-
Target
NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe
-
Size
1.1MB
-
MD5
e1f61de3ae82c0cc2b89aa86dc3ef6d0
-
SHA1
f5c7ab2ec02c21e703afd9cd6f7e6804671072a7
-
SHA256
8a1122b932941d8fedeb0ea81ca928cd955a577ba4b79b9ea3973828829fdb7b
-
SHA512
893696b69be5633a509476b4e869111d74e1da7091d21558a1169704d04084a1fd3a80946b877d039209944f7fc538e1006ffaaa68c41408da858afdd9a6126a
-
SSDEEP
24576:pdtP2cbksTpugRNJI50FMJFMFggMFgMFgggMJFggMFggoNu2EiJ8:qgqW
Malware Config
Extracted
nanocore
1.2.2.0
91.236.116.142:5888
d995ed82-bf13-4043-b564-f5f89f8c5209
-
activate_away_mode
true
-
backup_connection_host
91.236.116.142
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-01-07T03:01:54.729778636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5888
-
default_group
Spy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d995ed82-bf13-4043-b564-f5f89f8c5209
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
91.236.116.142
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe -
Executes dropped EXE 1 IoCs
pid Process 3992 app.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3992 set thread context of 4380 3992 app.exe 111 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 3992 app.exe 4380 aspnet_compiler.exe 4380 aspnet_compiler.exe 4380 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4380 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe Token: SeDebugPrivilege 3992 app.exe Token: SeDebugPrivilege 4380 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4172 wrote to memory of 3992 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 103 PID 4172 wrote to memory of 3992 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 103 PID 4172 wrote to memory of 3992 4172 NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe 103 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 3992 wrote to memory of 4380 3992 app.exe 111 PID 4380 wrote to memory of 2564 4380 aspnet_compiler.exe 112 PID 4380 wrote to memory of 2564 4380 aspnet_compiler.exe 112 PID 4380 wrote to memory of 2564 4380 aspnet_compiler.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e1f61de3ae82c0cc2b89aa86dc3ef6d0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB220.tmp"4⤵
- Creates scheduled task(s)
PID:2564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d81eb43d26d4511c44151cba2eb45983
SHA1135c98e039c6ab35d4e9564f15f9c56dc9dbeb9a
SHA256a72a8f6434d6b0fb904db5adc8cab891d12c53b4ac1435dfd13df51f84a2d4d0
SHA512b5895c19159d23a8fa312967e47d0855ac6f8f314f8931f54469b0c0079a22e9e00a5eaf6729761f74d54e111454d49813e658243e920a9c3434a5576cdda721
-
Filesize
1.1MB
MD53db52f4b619b6ecc831a78f6e3fc6c33
SHA17f08bbbc4578e7662ce1c19a08ccc2991099e2eb
SHA256dfd8b07da3eda3a10f692f37ca126d7e2b51383398fc819482e3c4b5e8b986ad
SHA5126039f4d7018a3821238908676d172cac7ff45ffaab23733957b5494dc0690e49993128153ac7a5d8d35e30a40ae4642a2041da227181d3a8d26af06907d359a4
-
Filesize
1.1MB
MD53db52f4b619b6ecc831a78f6e3fc6c33
SHA17f08bbbc4578e7662ce1c19a08ccc2991099e2eb
SHA256dfd8b07da3eda3a10f692f37ca126d7e2b51383398fc819482e3c4b5e8b986ad
SHA5126039f4d7018a3821238908676d172cac7ff45ffaab23733957b5494dc0690e49993128153ac7a5d8d35e30a40ae4642a2041da227181d3a8d26af06907d359a4
-
Filesize
1.1MB
MD53db52f4b619b6ecc831a78f6e3fc6c33
SHA17f08bbbc4578e7662ce1c19a08ccc2991099e2eb
SHA256dfd8b07da3eda3a10f692f37ca126d7e2b51383398fc819482e3c4b5e8b986ad
SHA5126039f4d7018a3821238908676d172cac7ff45ffaab23733957b5494dc0690e49993128153ac7a5d8d35e30a40ae4642a2041da227181d3a8d26af06907d359a4