Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

NEAS.0ef20...JC.exe

windows7-x64

7

NEAS.0ef20...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2023, 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0ef20b3c05d8d17c57806b5e68456020_JC.exe

  • Size

    482KB

  • MD5

    0ef20b3c05d8d17c57806b5e68456020

  • SHA1

    b78d681f3884b6f34dd7759e89ab091084a66537

  • SHA256

    597d6fcc25692a52f7a0aa4300739bff76f289dd6e6087d2ed2d71ba0101a008

  • SHA512

    23e0d915f25ed6f2eabf77cfac373455ae2d102931b4bfe461646c4acbc2f4c327fd1908a8282f7f38938c892930fe03240eff10188296f9a39ac27d85f90097

  • SSDEEP

    6144:2dspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqO:M8kxNhOZElO5kkWjhD4Ay

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0ef20b3c05d8d17c57806b5e68456020_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0ef20b3c05d8d17c57806b5e68456020_JC.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Program Files\AWJAO.EXE
      "C:\Program Files\AWJAO.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\AWJAO.EXE
    Filesize

    482KB

    MD5

    f6d2db26a9e64ab096bb11b4002718cc

    SHA1

    ad6b7a5f9a7eede29f8882cfef017489f4a52ae1

    SHA256

    c0d6e4f5d2135fa2aac94e1f7b02acf31a27e3d276cbd4df4a1339632cb65de9

    SHA512

    0028ad0c1764f0000696a2974a66833d3ce7d735f8c31ab070058d24fb0c36ddeb11999735618dbaf8c8ba588a8d7668b917de910f3415791c78cfa9764c5eef

    Download Submit

  • C:\Program Files\AWJAO.EXE
    Filesize

    482KB

    MD5

    f6d2db26a9e64ab096bb11b4002718cc

    SHA1

    ad6b7a5f9a7eede29f8882cfef017489f4a52ae1

    SHA256

    c0d6e4f5d2135fa2aac94e1f7b02acf31a27e3d276cbd4df4a1339632cb65de9

    SHA512

    0028ad0c1764f0000696a2974a66833d3ce7d735f8c31ab070058d24fb0c36ddeb11999735618dbaf8c8ba588a8d7668b917de910f3415791c78cfa9764c5eef

    Download Submit

  • C:\Program Files\TLOJ.EXE
    Filesize

    482KB

    MD5

    fd0b7825403863708b4309d75ec23596

    SHA1

    d29cbfa2884a980f45c381aaf597c763ab76b5d7

    SHA256

    620b41bdf28e63a5822fe54bc94e67bf1503015bc37dc9f57fcb24423780a1e7

    SHA512

    6a12f1db1f631d083d3c36b6dfd869da6b61df59b8be067a2df1f9fdc558f3bad31b18c25b27478ca5d7778578a39daf525366a337fe2e1749ad778daba763a2

    Download Submit

  • \??\c:\filedebug
    Filesize

    255B

    MD5

    3c178dc762d01d17ff9fe7d3fd54e6fd

    SHA1

    8cdea12e188b2d51aca21cf80eb0f7ebac486941

    SHA256

    b2b9cd450cbe92fe8edee7d4db140a73a38eac650feadfcd4a37e3539f4ed5d1

    SHA512

    229e16483799ea4d82da534b4c4cebdf145248a7ee89544d7b706330e22c71cd07d52e023e7a319f6f58ab74c348104bb3343945ace25f976a2617f542625c39

    Download Submit

  • memory/800-23-0x0000000000920000-0x0000000000921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/800-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/3684-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/3684-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download