Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    47s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 08:43

General

  • Target

    NEAS.5e039bf61627dacd27bd0f2dd48267d0.exe

  • Size

    714KB

  • MD5

    5e039bf61627dacd27bd0f2dd48267d0

  • SHA1

    8e6ed9c06d6ef5387e8f0a7651a086cb3bf26cfa

  • SHA256

    3ecc9228c624d9733273a52c10fe3981fe583cb690351a58944a8c36a829f044

  • SHA512

    a5436ebda59faf27ccddf2966ec92588d54a49e5e4e14dcc7bc52b75acc2b23264fd832846364c548aa08998f0b106161223c9390444ac966b1e27a48f17768b

  • SSDEEP

    12288:phJ6nTOYREU1gL5pRTcAkS/3hzN8qE43fm78VL:phJ6nTOYKx5jcAkSYqyEL

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5e039bf61627dacd27bd0f2dd48267d0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5e039bf61627dacd27bd0f2dd48267d0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2580
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev16B0.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.5e039bf61627dacd27bd0f2dd48267d0.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\NEAS.5E039BF61627DACD27BD0F2DD48267D0.EXE
        3⤵
        • Executes dropped EXE
        PID:4724
      • C:\WINDOWS\MSWDM.EXE
        -e!C:\Windows\dev16B0.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.5E039BF61627DACD27BD0F2DD48267D0.EXE!
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5E039BF61627DACD27BD0F2DD48267D0.EXE

    Filesize

    714KB

    MD5

    94de4ae2a122f3039c48dadfe9c0e9fd

    SHA1

    e1ff1b2fd61d773d1e234f8e326764a21dea7ab0

    SHA256

    088e97b85d5c59065d30a17cbfeae9489694246cff39f74ab947986142d3ac3f

    SHA512

    3eb4074e50185cd57c94ffcb1588e0a7807fc9e71349558fbed4da6eaf954fb0ff8ad59efc66d1b9088597f84500ef8bf6300d358e5c99fbc0c9467535c4bab4

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5E039BF61627DACD27BD0F2DD48267D0.EXE

    Filesize

    714KB

    MD5

    94de4ae2a122f3039c48dadfe9c0e9fd

    SHA1

    e1ff1b2fd61d773d1e234f8e326764a21dea7ab0

    SHA256

    088e97b85d5c59065d30a17cbfeae9489694246cff39f74ab947986142d3ac3f

    SHA512

    3eb4074e50185cd57c94ffcb1588e0a7807fc9e71349558fbed4da6eaf954fb0ff8ad59efc66d1b9088597f84500ef8bf6300d358e5c99fbc0c9467535c4bab4

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5e039bf61627dacd27bd0f2dd48267d0.exe

    Filesize

    458KB

    MD5

    619f7135621b50fd1900ff24aade1524

    SHA1

    6c7ea8bbd435163ae3945cbef30ef6b9872a4591

    SHA256

    344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

    SHA512

    2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\dev16B0.tmp

    Filesize

    458KB

    MD5

    619f7135621b50fd1900ff24aade1524

    SHA1

    6c7ea8bbd435163ae3945cbef30ef6b9872a4591

    SHA256

    344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

    SHA512

    2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628