Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
-
Size
211KB
-
MD5
3aa153304f53a2ea33e4c74a4ad07dd0
-
SHA1
620eb2916f6c484e6ddc95932e8ef7b3720a137f
-
SHA256
91e8a25e056ef3d6d6c733170ba9ae92e2dac95866c2c7ef865eb97cf77b91b1
-
SHA512
b16947b8f6b7558dc410657032722520dc9b7491045763ca071133b358904b15a795017d99adba66ea08843f2094951b137335456776a6e21f8fcbf81fc6af8a
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1Fqnj:b1iNKQxENHLfMgw7y9Zrs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe -
Executes dropped EXE 4 IoCs
pid Process 2088 userinit.exe 2148 spoolsw.exe 2912 swchost.exe 2516 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 2088 userinit.exe 2088 userinit.exe 2088 userinit.exe 2088 userinit.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe 2088 userinit.exe 2912 swchost.exe 2088 userinit.exe 2912 swchost.exe 2088 userinit.exe 2088 userinit.exe 2912 swchost.exe 2912 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2912 swchost.exe 2088 userinit.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 2088 userinit.exe 2088 userinit.exe 2148 spoolsw.exe 2148 spoolsw.exe 2912 swchost.exe 2912 swchost.exe 2516 spoolsw.exe 2516 spoolsw.exe 2088 userinit.exe 2088 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1124 wrote to memory of 2088 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 90 PID 1124 wrote to memory of 2088 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 90 PID 1124 wrote to memory of 2088 1124 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 90 PID 2088 wrote to memory of 2148 2088 userinit.exe 91 PID 2088 wrote to memory of 2148 2088 userinit.exe 91 PID 2088 wrote to memory of 2148 2088 userinit.exe 91 PID 2148 wrote to memory of 2912 2148 spoolsw.exe 92 PID 2148 wrote to memory of 2912 2148 spoolsw.exe 92 PID 2148 wrote to memory of 2912 2148 spoolsw.exe 92 PID 2912 wrote to memory of 2516 2912 swchost.exe 93 PID 2912 wrote to memory of 2516 2912 swchost.exe 93 PID 2912 wrote to memory of 2516 2912 swchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD58d0be22ebb05ea65f863bb64204a6cef
SHA1c122341fd3371abf5b03274c9f8d99d2b6aa5870
SHA256da6c5820a48dd59e52dfe8798578ef919cdca107bf1a24acf2a723127e91a712
SHA51289cb779d377d5ca957f364a22b0189cddbad50f65499b37e692c6c1058ed005711122eeafdc87ddf1775f0dfdb97e72250e9d1f133c7b1419719ed715922820c
-
Filesize
211KB
MD5bf98c56ad3f8de5e95ad2d96ec5040ac
SHA1bd664c34695944cc25555e339801882dc6292add
SHA256a09e736708fe2350bcb320c62a97cd2e96bb17ea3e3262bfeebe5d006fbac16b
SHA51274a5527e6f879734905e0a3c137462b8d8bc97b258949ff05aa3566adf52afe7dd0c49231a5feaf9cdd5d2f096608af2dc63e4e50daa51ecd22e856d5ef715fa
-
Filesize
211KB
MD5bf98c56ad3f8de5e95ad2d96ec5040ac
SHA1bd664c34695944cc25555e339801882dc6292add
SHA256a09e736708fe2350bcb320c62a97cd2e96bb17ea3e3262bfeebe5d006fbac16b
SHA51274a5527e6f879734905e0a3c137462b8d8bc97b258949ff05aa3566adf52afe7dd0c49231a5feaf9cdd5d2f096608af2dc63e4e50daa51ecd22e856d5ef715fa
-
Filesize
211KB
MD5bf98c56ad3f8de5e95ad2d96ec5040ac
SHA1bd664c34695944cc25555e339801882dc6292add
SHA256a09e736708fe2350bcb320c62a97cd2e96bb17ea3e3262bfeebe5d006fbac16b
SHA51274a5527e6f879734905e0a3c137462b8d8bc97b258949ff05aa3566adf52afe7dd0c49231a5feaf9cdd5d2f096608af2dc63e4e50daa51ecd22e856d5ef715fa
-
Filesize
211KB
MD5ef0365ab50e77ffb1909e9b70e1da8ea
SHA1c7f44b8c9760928a637a4fee5cf10822de277746
SHA2566ac0913f89985cc90eb168abfe8870708437882f142e85297bffae42b407eb56
SHA512da0a4adf04df46733d2f8dd4d9de37763cf83fc56948786cdf76010804b5d7a426ec27980994402101819cae657d74d1667d7a75458883b8fcd54275c76a9d58
-
Filesize
211KB
MD5cd91087c6edc548418660920086eede8
SHA18e8ef9ccd99cc279c31ceece9d1313b036ba0409
SHA256a7446bcd64f37b0e214c2c6256a3da93a4a4e3ab19d9aa45fc7109ca8f710a13
SHA5127211496cfe26db9b915d1c206af53820c97a35c97ef3a0721544bc76977c053f463e3f7f585f76bb6b92a288be20210cf3999b180166ec4a1bda8a68d6082bb7
-
Filesize
211KB
MD5bf98c56ad3f8de5e95ad2d96ec5040ac
SHA1bd664c34695944cc25555e339801882dc6292add
SHA256a09e736708fe2350bcb320c62a97cd2e96bb17ea3e3262bfeebe5d006fbac16b
SHA51274a5527e6f879734905e0a3c137462b8d8bc97b258949ff05aa3566adf52afe7dd0c49231a5feaf9cdd5d2f096608af2dc63e4e50daa51ecd22e856d5ef715fa
-
Filesize
211KB
MD5ef0365ab50e77ffb1909e9b70e1da8ea
SHA1c7f44b8c9760928a637a4fee5cf10822de277746
SHA2566ac0913f89985cc90eb168abfe8870708437882f142e85297bffae42b407eb56
SHA512da0a4adf04df46733d2f8dd4d9de37763cf83fc56948786cdf76010804b5d7a426ec27980994402101819cae657d74d1667d7a75458883b8fcd54275c76a9d58
-
Filesize
211KB
MD5cd91087c6edc548418660920086eede8
SHA18e8ef9ccd99cc279c31ceece9d1313b036ba0409
SHA256a7446bcd64f37b0e214c2c6256a3da93a4a4e3ab19d9aa45fc7109ca8f710a13
SHA5127211496cfe26db9b915d1c206af53820c97a35c97ef3a0721544bc76977c053f463e3f7f585f76bb6b92a288be20210cf3999b180166ec4a1bda8a68d6082bb7