Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

NEAS.8f31d...JC.exe

windows7-x64

7

NEAS.8f31d...JC.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2023, 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.8f31d9d3e255e3ff701c034e37b74f20_JC.exe

  • Size

    41KB

  • MD5

    8f31d9d3e255e3ff701c034e37b74f20

  • SHA1

    cfed58af9715f3d9f129657d90c1043fe9ea9833

  • SHA256

    ee0ca72dfd2c31d50bd0aafc996d56c7c60dd4a537002288fec15a1ebc19a845

  • SHA512

    31f68183c2e7045d097b9fb89259ea13991edf7c366a6e8d56b56512aa11d8dfc3063ea003f285d58c5546653a4eb8e63f4e39254f570e97942a17cf3b3d51f7

  • SSDEEP

    768:deMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09Cy:dq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSz

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8f31d9d3e255e3ff701c034e37b74f20_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8f31d9d3e255e3ff701c034e37b74f20_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 796
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    3b1feba47699b238160edda807427f51

    SHA1

    d1452729140b30290d141ab11a05f869f29be16c

    SHA256

    21d5f6c0fdd205d84f88239cbac6ddacfec1d9da13315f0d521ae1b97387b833

    SHA512

    f63a179b7377c9931c48f64de9a29abbe6debdcf96e8f868df19ffbc6282eda5bc6c83ea74b3a26fc621398b6cbeb69b9dc2199a4e784bd63e3ddb0f399d733c

    Download Submit

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    3b1feba47699b238160edda807427f51

    SHA1

    d1452729140b30290d141ab11a05f869f29be16c

    SHA256

    21d5f6c0fdd205d84f88239cbac6ddacfec1d9da13315f0d521ae1b97387b833

    SHA512

    f63a179b7377c9931c48f64de9a29abbe6debdcf96e8f868df19ffbc6282eda5bc6c83ea74b3a26fc621398b6cbeb69b9dc2199a4e784bd63e3ddb0f399d733c

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    5ba26564e96ccba21926da45e5928a48

    SHA1

    1e7d4d367db72eba5942d6eb5504b9478578fa7a

    SHA256

    c13a4ac9b2f969dac9a28a3b2537a7cc77b0f6bdde9aeead73637547bf84970e

    SHA512

    40b92e21bfb50d680eb89c403a131574edfa375802fc9873c0011e81623066cd842de010f6a2f40a4f13d6442da26fa94d21a89b0379adea9b64fa10d95b55a5

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    e5c1f4fe65e8314de2c9e6aa45066a8c

    SHA1

    262059dfc910a3056f3a389c71eeda5a8343b356

    SHA256

    bf27abd99b2f47a012ac7cd6a12283ab1ca49d3696c6278338c5ab89c54df839

    SHA512

    ac709edc2a07eeeedf258e0536196f74141498ccea11ab0912aceb498f15c3d6c6963f3b955f85029151f5c1516a095e63550a8a5ccc132a24eb6bfdbdcaac3f

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    3b1feba47699b238160edda807427f51

    SHA1

    d1452729140b30290d141ab11a05f869f29be16c

    SHA256

    21d5f6c0fdd205d84f88239cbac6ddacfec1d9da13315f0d521ae1b97387b833

    SHA512

    f63a179b7377c9931c48f64de9a29abbe6debdcf96e8f868df19ffbc6282eda5bc6c83ea74b3a26fc621398b6cbeb69b9dc2199a4e784bd63e3ddb0f399d733c

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    3b1feba47699b238160edda807427f51

    SHA1

    d1452729140b30290d141ab11a05f869f29be16c

    SHA256

    21d5f6c0fdd205d84f88239cbac6ddacfec1d9da13315f0d521ae1b97387b833

    SHA512

    f63a179b7377c9931c48f64de9a29abbe6debdcf96e8f868df19ffbc6282eda5bc6c83ea74b3a26fc621398b6cbeb69b9dc2199a4e784bd63e3ddb0f399d733c

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    e5c1f4fe65e8314de2c9e6aa45066a8c

    SHA1

    262059dfc910a3056f3a389c71eeda5a8343b356

    SHA256

    bf27abd99b2f47a012ac7cd6a12283ab1ca49d3696c6278338c5ab89c54df839

    SHA512

    ac709edc2a07eeeedf258e0536196f74141498ccea11ab0912aceb498f15c3d6c6963f3b955f85029151f5c1516a095e63550a8a5ccc132a24eb6bfdbdcaac3f

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    e5c1f4fe65e8314de2c9e6aa45066a8c

    SHA1

    262059dfc910a3056f3a389c71eeda5a8343b356

    SHA256

    bf27abd99b2f47a012ac7cd6a12283ab1ca49d3696c6278338c5ab89c54df839

    SHA512

    ac709edc2a07eeeedf258e0536196f74141498ccea11ab0912aceb498f15c3d6c6963f3b955f85029151f5c1516a095e63550a8a5ccc132a24eb6bfdbdcaac3f

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    41KB

    MD5

    d2230fcda7864e100ac63ade748857f5

    SHA1

    dc2bcab7d28141c55dba384d1e4e4d67b65bd20b

    SHA256

    5918b1f86f17eb48f661721f67e4660210e89bc72fd71807fabf8651182fa919

    SHA512

    3fc866b0d62d593d6073d27429e9d63170396f8c0cdecbaea41cbd960ce0f529cd847306de1eb7e0ba4fc132e5131593a6ebdaaeabe80e54ced249e55daa04f2

    Download Submit

  • memory/1700-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1700-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1700-47-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2036-25-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2036-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2036-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2036-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2036-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2704-38-0x0000000000340000-0x000000000035F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2704-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2704-45-0x0000000000340000-0x000000000035F000-memory.dmp

    Filesize

    124KB

    Download