Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
02b0553d71c40a60e184e969707f0a00_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
02b0553d71c40a60e184e969707f0a00_NEAS.exe
Resource
win10v2004-20240226-en
General
-
Target
02b0553d71c40a60e184e969707f0a00_NEAS.exe
-
Size
3.6MB
-
MD5
02b0553d71c40a60e184e969707f0a00
-
SHA1
6d528aa5dc28352803b86fe4e03bff9015f1197f
-
SHA256
7f610f8216bc3125be38d39ae5696cc8ef5fc0ce10e4e15256000aba4180a3b4
-
SHA512
2d5940603b19cd1d3a6f17d658f3d4228c8a6addab3806a386817932c93dc51ff2e650d0120542c2de4e454868366ee6c0c1df20be1f323b157af1dd499109c9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpkbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 02b0553d71c40a60e184e969707f0a00_NEAS.exe -
Executes dropped EXE 2 IoCs
pid Process 3356 ecdevbod.exe 392 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGF\\devoptisys.exe" 02b0553d71c40a60e184e969707f0a00_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE1\\dobasys.exe" 02b0553d71c40a60e184e969707f0a00_NEAS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe 3356 ecdevbod.exe 3356 ecdevbod.exe 392 devoptisys.exe 392 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2356 wrote to memory of 3356 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 90 PID 2356 wrote to memory of 3356 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 90 PID 2356 wrote to memory of 3356 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 90 PID 2356 wrote to memory of 392 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 91 PID 2356 wrote to memory of 392 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 91 PID 2356 wrote to memory of 392 2356 02b0553d71c40a60e184e969707f0a00_NEAS.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3356
-
-
C:\IntelprocGF\devoptisys.exeC:\IntelprocGF\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5be65daf6a4fd4fe845f68fcf8ace245c
SHA13751fd1d33c312453caa4915da77903017b55573
SHA256a780475bbe63da802ec93ec51197af5d0e8798dd7243102b46091b13c43ef4c9
SHA512d37d9f0e728494f12f2616a47bfb53d55de8ea26e63b71cde9284132f1dcf3187f562137365dfd61e20b848372aa21fd65ecc88f2a9909984f6f87a34944c093
-
Filesize
3.6MB
MD5511b247ed176ab12add3cb52da2f76e0
SHA16c23f21a5e56fdfd490daf6760ce9bae7a54727b
SHA256a2ad1edc8eadbebf80f5f9187ec0954ff53aa339a50d6bddff34c7815681ec38
SHA512fd0a10040d7f47132e9186e449dca0d4f8444591da6bab9b91b902d747709fc2f7caf24fbb4ee76bfcef0bffdbe6742fd0aea57fee4580ffa3ae7fc98eef9062
-
Filesize
2.1MB
MD5edfd7eb881b0dbc964961f820407a738
SHA1e3fc21e2ea22287854a039784f6222e1979b1124
SHA256591a4f78e97ec2b505d476f93a7f97ccf9d3e22f94dba3b26bcaa0b485907c61
SHA5128e0e0d04543d431710d054c80c1b30db5fa35ee6f5011c6b48b645a0321dc92cb5109ecca07452a7df3236875a6cf4632a617f4ff4ae3c36d72424e3f3bb5a5c
-
Filesize
2.8MB
MD573a69a22029250cb08594175d0b00fa2
SHA19edc49c91fb21e4a4e2fe6d619a846c6bf70dca4
SHA256510754cef33d03d11d32ab9dfc2b953eea43d68eb0898163c9a1cb0ecddd3521
SHA51244902fd8054d6f7977314e809eb77f0c5fb44d277996f3827d335bbe40b968cd71061d84f4a5320b99bc5697dff493b1eaab2c0c4d9646e303709069c473aaec
-
Filesize
2.5MB
MD5184ceb56010b7cb2783ec2444d9d077f
SHA1d0c555b74962dcdfc0feeea27b927b79548fc3a9
SHA2566f9bc70cd684009faff9e3276aa4d5c54d133a16b9f09987f071a8fddf2c3f00
SHA51208f8b45a41b6b10353a7e1957fa34bcd440345192455677f68d6c05b69867c023193a55fce66896264ce936bb67bf85152b0ceccb6725bce2ff84920fbc22151
-
Filesize
208B
MD5b6dba8c7c6824ef15fd3313ee60babcc
SHA1a1fe81e4e609d2bdeea65a0b414d5be633269926
SHA2566aabb55e97949eb95af0b7f78849fd9cda32ba44cb272e2849d23b88e269fa35
SHA5128d81a8d7aa53e87bcbb194672ad80da174b326809ecade6f51712967ab213f129ab84256f3b784dd96ccca58ff697869a2836a08bb2cd4046d2009bd4c6482ad
-
Filesize
176B
MD5af556a6660af8026a4fa0de9b3a50c24
SHA1885ca295665140f75820aefb6b9cb6758cfd0cb8
SHA2562f8b78b89b7c35e8ec2c3253e04c3586c162c2b7f2e958f58020c3b5a1ada4f3
SHA51282e6b7849c6a57b98b73ec0a0e3de62879d029bb086b70df5eeea0da5a6a95b86c38ae9e0f6e066c49e1c613651a71fc1b43baed3f5ad81300293e4242ad06d9
-
Filesize
2.1MB
MD5c9a3edd9360b8e6b31311c91884fedc7
SHA16b08c62676ba82634f97efdc0b483a4da9046ea6
SHA2562488a0e809a21204707651cc5596df5d471e0a504c45e0a2384a3fe431a59576
SHA51226df10a05133b18af88e178a09931c088e0ff0ed7a1354171765c2eac4987d1dca559b6b90d822094aa87efccd56bb64cc8e0f8d90761d64d4c6237a4e167642
-
Filesize
448KB
MD5f226324fef5c8a829e14c9190ee5925a
SHA16fb65aec2773479b7c53956c072a791d648a770c
SHA256aa6ae7c96b8893a0c5bc7b8557ea1a3262d6ec6cbb7fe1049bc7a7bb19e09661
SHA5126538e42b761bde05883732f4f4f706bc3275a4d7bc3b72a68feaf5614fcc56f533adbac2c8bf4b5a0790beb7c4315a8fb0cd95fb85e7a6135eb3c2e2ecf59644