Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

090fa96a61...AS.exe

windows7-x64

7

090fa96a61...AS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    090fa96a61d82425fda2e53fcc9ed090_NEAS.exe

  • Size

    134KB

  • MD5

    090fa96a61d82425fda2e53fcc9ed090

  • SHA1

    87a9463dd44bae1c46a4282e50b13db963a7be36

  • SHA256

    daa51f40083f7c3204968c1e3eb3de074f45cecb492a093a3e9991844be960e9

  • SHA512

    9765c1ec4ee307c902d866adf534eb9567ed8bbc237a55ecd60f73d83b9df3ead9a56fb2a6e26441a91efabbe37eb7a1b37f1ee20a1db997143a46f50d4353ee

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOS:YfU/WF6QMauSuiWNi9eNOl0007NZIOS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\090fa96a61d82425fda2e53fcc9ed090_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\090fa96a61d82425fda2e53fcc9ed090_NEAS.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      PID:4676
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\090fa96a61d82425fda2e53fcc9ed090_NEAS.exe" >> NUL
      2⤵
        PID:4540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Update\wuauclt.exe
      Filesize

      134KB

      MD5

      36cf186293147eed5cfbc908eaf0c508

      SHA1

      dc6cb47b8f578abc15149039b9f0f0e8d90f03ca

      SHA256

      632a004a995f6d4bd2963944325233da89cf566af3d7c5536c1e7471e81a115b

      SHA512

      3c6a35deef01bc55f3a728f495f00e81e630bb6f53ed8d014a1c1dd479fdedd38b3afa85095cc4486402c53e0aac4d2f66d91568acdeaba1bb90a6fba47a13f9

      Download Submit

    • memory/1636-0-0x00000000006A0000-0x00000000006C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1636-6-0x00000000006A0000-0x00000000006C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1636-8-0x00000000006A0000-0x00000000006C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4676-5-0x0000000000AF0000-0x0000000000B18000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4676-7-0x0000000000AF0000-0x0000000000B18000-memory.dmp

      Filesize

      160KB

      Download