Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
-
Size
2.7MB
-
MD5
04b2eddf716f9ee4ecf89f68004e5110
-
SHA1
5bf5c320a23f15da9c0c0135d69b9e44ee810f21
-
SHA256
d7ad9153fca552f21476689a7f80853774738c033cdb53981902dfd873aee7d7
-
SHA512
96a46b9f904359b142023b0c618d6df59121d4e7be539c549f610bf6eeeefcdbb610670dc7d386d8fb9b11de6487671a96ac8c159e214477737170b3c784ba6f
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpa4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1664 devoptisys.exe -
Loads dropped DLL 1 IoCs
pid Process 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHQ\\optixloc.exe" 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRP\\devoptisys.exe" 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 1664 devoptisys.exe 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1664 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 28 PID 2416 wrote to memory of 1664 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 28 PID 2416 wrote to memory of 1664 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 28 PID 2416 wrote to memory of 1664 2416 04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\AdobeRP\devoptisys.exeC:\AdobeRP\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD50a8dc73f4a87e03cea82a1813d63eb1c
SHA1b16a24314e0ae14ffc10d946ef827475f3835edf
SHA256c1ad4adf9fc21011e81d9a6cb15c40583c8edc53059909de570480340f8f5405
SHA512534beea3ba86f28e9315ca1d02d42f392ba511ef510af8a630076da59dc51a3660a58a7ca665d3880483891efdcbac95f4abf177755cc2abfaae8ff67a7cfbd3
-
Filesize
204B
MD556ed90c95d0efd5a08d6c432be588df4
SHA19e12e9ec47aa53420eb94bd770a1dcd1861cbc77
SHA256ae11262f9fa44a17f83108db6d7746e8b0dcebee42ce933d3e1150f7fa26d424
SHA512c81666018ffa97c0b25a1a8994d7964f78963e57a23879af9ca1ed3bebbb0e2c00fe2777c4f5df35e7bcc3ae24a30c0c12bddac073376757c051e5b0d605e38f
-
Filesize
2.7MB
MD517ad50224776ee28498ff96d3efd7d86
SHA1ab12e23e5d7edacd1bf50a1aaab48df12d146efd
SHA2560e3da910baad5f32ec6d88d316b1b439bf7804f80f0629648f5b46792dcd3b37
SHA5120a0a27737b1d1a9157d369fa73120237f55facf70581aa318d05fc719ce28c664c19aa7c9b514fa67909c366f6a43788dd7b0c13a5b030892f341ac3eee25519