Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0fd422047b061232cf72e7fd392c1650.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.0fd422047b061232cf72e7fd392c1650.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.0fd422047b061232cf72e7fd392c1650.exe
-
Size
84KB
-
MD5
0fd422047b061232cf72e7fd392c1650
-
SHA1
4014c08ee550460a82a9fe686c65c49227315cd8
-
SHA256
5f978332e24290efe42766ab9fd2cc7bb0c58e112b06fe3d5337ddcc0685431d
-
SHA512
e941fa288a0186283e442f807305c5700939011621607f022ea86dc5415b8edd5fa98c0d2949d355d5294a3a5cf10ffb7267607628bb63d6b26148c62e90d637
-
SSDEEP
768:5BBdFYDgao5/AUrLEEzayTpBJfxBDlxkFNXK8D1Fojx:5pcC/eAayJ3Rx8y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1560 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" NEAS.0fd422047b061232cf72e7fd392c1650.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" NEAS.0fd422047b061232cf72e7fd392c1650.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\¢«.exe NEAS.0fd422047b061232cf72e7fd392c1650.exe File created C:\Windows\SysWOW64\notepad¢¬.exe NEAS.0fd422047b061232cf72e7fd392c1650.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system\rundll32.exe NEAS.0fd422047b061232cf72e7fd392c1650.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1700035083" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1700035083" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "505" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" NEAS.0fd422047b061232cf72e7fd392c1650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" NEAS.0fd422047b061232cf72e7fd392c1650.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1560 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 1560 rundll32.exe 1560 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4680 wrote to memory of 1560 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 91 PID 4680 wrote to memory of 1560 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 91 PID 4680 wrote to memory of 1560 4680 NEAS.0fd422047b061232cf72e7fd392c1650.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0fd422047b061232cf72e7fd392c1650.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0fd422047b061232cf72e7fd392c1650.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD54f38f66dbe8f19a498b3009b4a56fd36
SHA132f73a504f3d703739197492383c611d92cb74e4
SHA25686d138ab1a2b0e1a7d866d488beaa9747b939a220b6e1ecfe66e58495fce2641
SHA512604eeb3c9524f12777e9fa510843405562662d158702e893e0101db2bca180f6e38bd79458ae1f244a581fb53d836aa5b9bc361c9bfcc9673e3a89cda5527a54
-
Filesize
110KB
MD54f38f66dbe8f19a498b3009b4a56fd36
SHA132f73a504f3d703739197492383c611d92cb74e4
SHA25686d138ab1a2b0e1a7d866d488beaa9747b939a220b6e1ecfe66e58495fce2641
SHA512604eeb3c9524f12777e9fa510843405562662d158702e893e0101db2bca180f6e38bd79458ae1f244a581fb53d836aa5b9bc361c9bfcc9673e3a89cda5527a54