Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
7d04d9c582590db215169327b3c95170_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7d04d9c582590db215169327b3c95170_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
7d04d9c582590db215169327b3c95170_NEAS.exe
-
Size
65KB
-
MD5
7d04d9c582590db215169327b3c95170
-
SHA1
16131d62ef948938e0b8afb72d581c90eaaa8996
-
SHA256
77fb0809e2c9f40140a30339dbe85b64a6ad86de52f965fd077a8e4151b965ad
-
SHA512
2fccddb1c541d3883229d36ee283fe169725fda95b1222e6c9ad5ccb2af23407b8195b6fac402722eb75db08880a5255bdd275f2a3e2d88ec710990ae865e264
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuB:7WNqkOJWmo1HpM0MkTUmuB
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/4916-37-0x0000000075530000-0x000000007568D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1988 explorer.exe 4416 spoolsv.exe 4916 svchost.exe 4624 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 7d04d9c582590db215169327b3c95170_NEAS.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe 4916 svchost.exe 4916 svchost.exe 1988 explorer.exe 1988 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1988 explorer.exe 4916 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 1988 explorer.exe 1988 explorer.exe 4416 spoolsv.exe 4416 spoolsv.exe 4916 svchost.exe 4916 svchost.exe 4624 spoolsv.exe 4624 spoolsv.exe 1988 explorer.exe 1988 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4712 wrote to memory of 1988 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 83 PID 4712 wrote to memory of 1988 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 83 PID 4712 wrote to memory of 1988 4712 7d04d9c582590db215169327b3c95170_NEAS.exe 83 PID 1988 wrote to memory of 4416 1988 explorer.exe 84 PID 1988 wrote to memory of 4416 1988 explorer.exe 84 PID 1988 wrote to memory of 4416 1988 explorer.exe 84 PID 4416 wrote to memory of 4916 4416 spoolsv.exe 85 PID 4416 wrote to memory of 4916 4416 spoolsv.exe 85 PID 4416 wrote to memory of 4916 4416 spoolsv.exe 85 PID 4916 wrote to memory of 4624 4916 svchost.exe 86 PID 4916 wrote to memory of 4624 4916 svchost.exe 86 PID 4916 wrote to memory of 4624 4916 svchost.exe 86 PID 4916 wrote to memory of 1480 4916 svchost.exe 87 PID 4916 wrote to memory of 1480 4916 svchost.exe 87 PID 4916 wrote to memory of 1480 4916 svchost.exe 87 PID 4916 wrote to memory of 1608 4916 svchost.exe 103 PID 4916 wrote to memory of 1608 4916 svchost.exe 103 PID 4916 wrote to memory of 1608 4916 svchost.exe 103 PID 4916 wrote to memory of 1444 4916 svchost.exe 117 PID 4916 wrote to memory of 1444 4916 svchost.exe 117 PID 4916 wrote to memory of 1444 4916 svchost.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d04d9c582590db215169327b3c95170_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\7d04d9c582590db215169327b3c95170_NEAS.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Windows\SysWOW64\at.exeat 06:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1480
-
-
C:\Windows\SysWOW64\at.exeat 06:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1608
-
-
C:\Windows\SysWOW64\at.exeat 06:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1444
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD59f3dbfc2613d44864a2bc47c9f365b4f
SHA1ec30404c49ae1cde606441cb87058d0d74ffde00
SHA2563e111f4c399c5e030eb279fa40a62eda43e6279ef2c242e2ae46fe0ef89e707a
SHA5125b0d536057f99b29e29da110ead29e6e03392e5bd482ad9544273b4036a285d09c7caf9e7bef594294f177c2cff130b0aa62b02f3f5caf4b95c37047241437ea
-
Filesize
65KB
MD5a62ab445405d81bdaa23d0814fca6a1b
SHA1ae2f5fc8da8c310becd1a63ad9142b5765ed922b
SHA25675573dd45b43f950b31866fe931e105b7063635ec78eaf08b8d8772afaa59f85
SHA512b4cac0a538c938548e78bfe91614b6e75e1b7beb743fd8adfb6986c97c5ca9c260d980cfd4d4c15aa6a2c35216834ca19f18ebc2dc54dfb24dfa67cba56cb35e
-
Filesize
65KB
MD56e670fed5715c7bd1f863b4ee60b813d
SHA12573d0214e84218a8dd5f41ca2c64547c6b1e568
SHA2569643895f3d21cdc6d18d5757d52f76c4f7b81ccab6c399fe8ae88c4129e5dcdb
SHA512ea94e7fb705e1f13900ded659a6f4520ba94bb573dd48c21d7b24c5b2d06b24c0e96ecf3afbedb334986d790f7adfed901793d265a86de12ef8e39c63523ce71
-
Filesize
65KB
MD5195384b266db180efd290de9c877786e
SHA12d3900e668baea5c8b6c6a99db3e69975f05c870
SHA25685bf5a33004b388d99f0c57ae4511b145467d9fbf8d84c4cf9c23de1b49e609d
SHA512430f10834cea3a16cf76cf7c9a0baa93970fc411383a216edb90498b99bd3c5846aa45f443a2cf1fabd0ee4a1139d7e191136a4abbec1850ff0840117198ce03