Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12/11/2023, 09:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.bd512653faade6bb365d077d1b7a0410.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bd512653faade6bb365d077d1b7a0410.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
NEAS.bd512653faade6bb365d077d1b7a0410.exe
-
Size
280KB
-
MD5
bd512653faade6bb365d077d1b7a0410
-
SHA1
4061759d0861c292bc37d1c4c9a0456458255db8
-
SHA256
36f6bd809c5acad2129682600ab3ed12482709c72922e8cf72163a4be03f26ad
-
SHA512
a2774736e0bf7776f5478bff39fede73b5337eb9d0518f5d4879bebd8c70f4d8bd4ee90bd859e1a0185e0f1a519c8778f8c009925f87b04cc4b393aa0b097df9
-
SSDEEP
3072:Da+SiHOPiu8aQb3TqDUCiGjHJDbRv9y+qwa+rZf/MVBXx1:zSiHOq3TqD+0HBb5ta+rZ3MTL
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" NEAS.bd512653faade6bb365d077d1b7a0410.exe Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" baocua.exe -
Executes dropped EXE 1 IoCs
pid Process 388 baocua.exe -
Loads dropped DLL 2 IoCs
pid Process 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /L" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /W" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /B" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /j" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /O" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /M" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /d" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /k" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /e" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /U" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /g" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /r" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /N" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /Z" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /V" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /I" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /f" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /h" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /o" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /c" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /Y" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /i" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /J" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /y" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /C" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /n" NEAS.bd512653faade6bb365d077d1b7a0410.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /F" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /v" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /D" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /l" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /t" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /T" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /z" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /H" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /n" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /A" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /q" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /s" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /X" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /R" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /b" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /G" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /w" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /u" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /S" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /K" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /x" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /m" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /Q" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /E" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /p" baocua.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\baocua = "C:\\Users\\Admin\\baocua.exe /P" baocua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe 388 baocua.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 388 baocua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1612 wrote to memory of 388 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 28 PID 1612 wrote to memory of 388 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 28 PID 1612 wrote to memory of 388 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 28 PID 1612 wrote to memory of 388 1612 NEAS.bd512653faade6bb365d077d1b7a0410.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bd512653faade6bb365d077d1b7a0410.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bd512653faade6bb365d077d1b7a0410.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\baocua.exe"C:\Users\Admin\baocua.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD57706e7aeeb3c25f3c3bf4fa3db4104c8
SHA197d3152b38459d5d6b7bf5463b845a0f1d2f24aa
SHA25652342becb92970dfb59fa7a74fdbbb367f97ccace36bd96c0fc1f11eac8dd26a
SHA51223372395ba5c5f24916d5c7f5193a1b79b4ff286dba70cc1b7eddb8841e7ce5f54d42840fef6c7e858de355f2a4ca88abf210feacadc7bfcbe19c2cb532412aa
-
Filesize
280KB
MD57706e7aeeb3c25f3c3bf4fa3db4104c8
SHA197d3152b38459d5d6b7bf5463b845a0f1d2f24aa
SHA25652342becb92970dfb59fa7a74fdbbb367f97ccace36bd96c0fc1f11eac8dd26a
SHA51223372395ba5c5f24916d5c7f5193a1b79b4ff286dba70cc1b7eddb8841e7ce5f54d42840fef6c7e858de355f2a4ca88abf210feacadc7bfcbe19c2cb532412aa
-
Filesize
280KB
MD57706e7aeeb3c25f3c3bf4fa3db4104c8
SHA197d3152b38459d5d6b7bf5463b845a0f1d2f24aa
SHA25652342becb92970dfb59fa7a74fdbbb367f97ccace36bd96c0fc1f11eac8dd26a
SHA51223372395ba5c5f24916d5c7f5193a1b79b4ff286dba70cc1b7eddb8841e7ce5f54d42840fef6c7e858de355f2a4ca88abf210feacadc7bfcbe19c2cb532412aa
-
Filesize
280KB
MD57706e7aeeb3c25f3c3bf4fa3db4104c8
SHA197d3152b38459d5d6b7bf5463b845a0f1d2f24aa
SHA25652342becb92970dfb59fa7a74fdbbb367f97ccace36bd96c0fc1f11eac8dd26a
SHA51223372395ba5c5f24916d5c7f5193a1b79b4ff286dba70cc1b7eddb8841e7ce5f54d42840fef6c7e858de355f2a4ca88abf210feacadc7bfcbe19c2cb532412aa
-
Filesize
280KB
MD57706e7aeeb3c25f3c3bf4fa3db4104c8
SHA197d3152b38459d5d6b7bf5463b845a0f1d2f24aa
SHA25652342becb92970dfb59fa7a74fdbbb367f97ccace36bd96c0fc1f11eac8dd26a
SHA51223372395ba5c5f24916d5c7f5193a1b79b4ff286dba70cc1b7eddb8841e7ce5f54d42840fef6c7e858de355f2a4ca88abf210feacadc7bfcbe19c2cb532412aa