Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.762ce72eed847280113ec690c9992970.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.762ce72eed847280113ec690c9992970.exe
-
Size
660KB
-
MD5
762ce72eed847280113ec690c9992970
-
SHA1
bfae6f5d06969d73de02b977bc233c98921eeeb1
-
SHA256
7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd
-
SHA512
a00c47ff4dcdb0fcf0a1fe6fddd05ba13b6bbe44923018142e8c37fd90a9bdb756c9012b8610231512db6efd33583c4e42d295bc57f5d380a968c8acc514318c
-
SSDEEP
12288:SMrzy904l2PWhiqJWsf5oUK+ktPwlytEOJuNTSZXlvrAxM:JyzhiqIuik8BqOJITQsxM
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
Executes dropped EXE 2 IoCs
pid Process 4388 1Am61ri0.exe 3084 2Tc4789.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.762ce72eed847280113ec690c9992970.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4388 set thread context of 2880 4388 1Am61ri0.exe 98 PID 3084 set thread context of 4188 3084 2Tc4789.exe 101 -
Program crash 2 IoCs
pid pid_target Process procid_target 5072 4188 WerFault.exe 101 2568 4188 WerFault.exe 101 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2880 AppLaunch.exe 2880 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2880 AppLaunch.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3584 wrote to memory of 4388 3584 NEAS.762ce72eed847280113ec690c9992970.exe 97 PID 3584 wrote to memory of 4388 3584 NEAS.762ce72eed847280113ec690c9992970.exe 97 PID 3584 wrote to memory of 4388 3584 NEAS.762ce72eed847280113ec690c9992970.exe 97 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 4388 wrote to memory of 2880 4388 1Am61ri0.exe 98 PID 3584 wrote to memory of 3084 3584 NEAS.762ce72eed847280113ec690c9992970.exe 99 PID 3584 wrote to memory of 3084 3584 NEAS.762ce72eed847280113ec690c9992970.exe 99 PID 3584 wrote to memory of 3084 3584 NEAS.762ce72eed847280113ec690c9992970.exe 99 PID 3084 wrote to memory of 548 3084 2Tc4789.exe 100 PID 3084 wrote to memory of 548 3084 2Tc4789.exe 100 PID 3084 wrote to memory of 548 3084 2Tc4789.exe 100 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 3084 wrote to memory of 4188 3084 2Tc4789.exe 101 PID 4188 wrote to memory of 5072 4188 AppLaunch.exe 103 PID 4188 wrote to memory of 5072 4188 AppLaunch.exe 103 PID 4188 wrote to memory of 5072 4188 AppLaunch.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.762ce72eed847280113ec690c9992970.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.762ce72eed847280113ec690c9992970.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Am61ri0.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Am61ri0.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Tc4789.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Tc4789.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 5404⤵
- Program crash
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 5404⤵
- Program crash
PID:2568
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4188 -ip 41881⤵PID:1188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD555e4afca8b6e5d1c28d5742cb1a924ab
SHA1b0385b0c16ae475eb0b3b6d62fe4971f694f22b4
SHA256301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5
SHA5120ba4f57f16d0e6cd7dc8170280efd2e801e1239a392c751cfe1d9bf3a9d96f2a19585132761aea429ee86e3b09907f7b49b064da613bb7dfe2e352fbc330806e
-
Filesize
1.6MB
MD555e4afca8b6e5d1c28d5742cb1a924ab
SHA1b0385b0c16ae475eb0b3b6d62fe4971f694f22b4
SHA256301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5
SHA5120ba4f57f16d0e6cd7dc8170280efd2e801e1239a392c751cfe1d9bf3a9d96f2a19585132761aea429ee86e3b09907f7b49b064da613bb7dfe2e352fbc330806e
-
Filesize
1.8MB
MD5dbe718ef607358c36036fbcb8654616e
SHA16b2c3f93d5fb83bc3cc1c258fb3d27117c26e250
SHA2561f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab
SHA51200d25fc409dfc18d5a936d7d201f12b96eebbaaacf4b6713c6d21c790a1910943f66332af9bcda0574a6406abae9b569d881257a3113b1dca689fcf80dddf90e
-
Filesize
1.8MB
MD5dbe718ef607358c36036fbcb8654616e
SHA16b2c3f93d5fb83bc3cc1c258fb3d27117c26e250
SHA2561f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab
SHA51200d25fc409dfc18d5a936d7d201f12b96eebbaaacf4b6713c6d21c790a1910943f66332af9bcda0574a6406abae9b569d881257a3113b1dca689fcf80dddf90e