Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Resource
win10v2004-20240426-en
General
-
Target
ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
-
Size
4.1MB
-
MD5
ed8d850cb5ceb21698781bdba05049c0
-
SHA1
7b293306394e4f8cd7513b46fd093ec3785a54ae
-
SHA256
757cf80aad63352123a7210a4d8bab08716efd19b06f4fb65c595532e387a72c
-
SHA512
2dfda056dcbac6546fb2447fd4c6c6b84e29d07d61b392b58e5947fe239ecebfa36b02bb54fad3604ca4986766a3515a763098a987576591a48f7e8c4c2942cb
-
SSDEEP
98304:+R0pI/IQlUoMPdmpSp54ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3516 xdobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXW\\xdobsys.exe" ed8d850cb5ceb21698781bdba05049c0_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8L\\boddevsys.exe" ed8d850cb5ceb21698781bdba05049c0_NEAS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 3516 xdobsys.exe 3516 xdobsys.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1340 wrote to memory of 3516 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 91 PID 1340 wrote to memory of 3516 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 91 PID 1340 wrote to memory of 3516 1340 ed8d850cb5ceb21698781bdba05049c0_NEAS.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\SysDrvXW\xdobsys.exeC:\SysDrvXW\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5f93a9eea0064e5af6bc80f47e36dad54
SHA1ef82a017984925caaa0c1df9de81d806f6716ef8
SHA256ad5198c2ad0127a8cc3966648aef224778414337d8b4a9e3b73b94b9e4bdf880
SHA512756cb8b5e58780667c6fd012fe492fd042969c05a9e596e407e107f969dd2993ab461f9da0a8ff7cf0d9e5c4bbd43b8483018271a4ea8188db08239216d13caa
-
Filesize
4.1MB
MD56d3e5f6eb09e9969b4089b44c5534fd3
SHA1e1db9b03c818a587a1dcf0123b07e274d08dc476
SHA2560510a2144ef18fc0a73aa3b102a7a4d91b9ccf05feb69b3466bca8acc98eacae
SHA512a2cca83cf1b895fa96564ceb995a4fd5f0677ed4164dfd4d0c0ba98c345d2f9f56ba2bbda1b9e3d1edec452a7f26dbe267c20e998f4b0bf3ce0b9912f516b0bc
-
Filesize
205B
MD53592f3b269411a4a08a3304fdd7010cf
SHA13ff8800cbb14b0b32654b9999b105fdfe149d860
SHA256172be73c2e4f593b29cf1c30afd1bf0ee883fb37d214b39127d572c567b0b53d
SHA5121a38c82e5ff706e8401fae0eeedf8d809320b2d68cdd6ad2bd00d9df6f9b7731e633d0099727c9f6e98bce83a12eb93f1b0c589a858cf66e8f121f86505cb070