Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
184s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07/10/2023, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.system32exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.system32exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.system32exe_JC.exe
-
Size
9.9MB
-
MD5
25af599b04074298133944628227451a
-
SHA1
b23abea6f74e7ffd1fa05436fc952ac652d59342
-
SHA256
9a88864e3c87f405002960fa5bb710f486e15e7af8c7c2a0a64e6ff4957233f8
-
SHA512
5ee27fc0fb47a50c26da3804c482f218d239ce250a1f5a0b0b2dc6e4440ea961fa8f19b2d64f37478d807b944d864da712614584825f29832faaa09cac2c0573
-
SSDEEP
196608:5TYReKrNPFho7UzsyNhaD3fqYz08tHihjnwFXokW8oHDt+:F6DrNPFiksyYI8tkwZoklsx+
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 2744 neas.system32exe_jc.exe 2856 icsys.icn.exe 2632 explorer.exe 1260 Process not Found 2892 spoolsv.exe 1172 svchost.exe 1984 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2856 icsys.icn.exe 2632 explorer.exe 2892 spoolsv.exe 1172 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\System32\d3dcompiler_43.dll neas.system32exe_jc.exe File created C:\Windows\System32\d3dx9_43.dll neas.system32exe_jc.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\System32\d3dx11_43.dll neas.system32exe_jc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe NEAS.system32exe_JC.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1868 schtasks.exe 1480 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 2744 neas.system32exe_jc.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe 2744 neas.system32exe_jc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2632 explorer.exe 1172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 neas.system32exe_jc.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 840 NEAS.system32exe_JC.exe 840 NEAS.system32exe_JC.exe 2856 icsys.icn.exe 2856 icsys.icn.exe 2632 explorer.exe 2632 explorer.exe 2892 spoolsv.exe 2892 spoolsv.exe 1172 svchost.exe 1172 svchost.exe 1984 spoolsv.exe 1984 spoolsv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 840 wrote to memory of 2744 840 NEAS.system32exe_JC.exe 29 PID 840 wrote to memory of 2744 840 NEAS.system32exe_JC.exe 29 PID 840 wrote to memory of 2744 840 NEAS.system32exe_JC.exe 29 PID 840 wrote to memory of 2744 840 NEAS.system32exe_JC.exe 29 PID 840 wrote to memory of 2856 840 NEAS.system32exe_JC.exe 30 PID 840 wrote to memory of 2856 840 NEAS.system32exe_JC.exe 30 PID 840 wrote to memory of 2856 840 NEAS.system32exe_JC.exe 30 PID 840 wrote to memory of 2856 840 NEAS.system32exe_JC.exe 30 PID 2856 wrote to memory of 2632 2856 icsys.icn.exe 31 PID 2856 wrote to memory of 2632 2856 icsys.icn.exe 31 PID 2856 wrote to memory of 2632 2856 icsys.icn.exe 31 PID 2856 wrote to memory of 2632 2856 icsys.icn.exe 31 PID 2632 wrote to memory of 2892 2632 explorer.exe 32 PID 2632 wrote to memory of 2892 2632 explorer.exe 32 PID 2632 wrote to memory of 2892 2632 explorer.exe 32 PID 2632 wrote to memory of 2892 2632 explorer.exe 32 PID 2892 wrote to memory of 1172 2892 spoolsv.exe 33 PID 2892 wrote to memory of 1172 2892 spoolsv.exe 33 PID 2892 wrote to memory of 1172 2892 spoolsv.exe 33 PID 2892 wrote to memory of 1172 2892 spoolsv.exe 33 PID 2632 wrote to memory of 2792 2632 explorer.exe 34 PID 2632 wrote to memory of 2792 2632 explorer.exe 34 PID 2632 wrote to memory of 2792 2632 explorer.exe 34 PID 2632 wrote to memory of 2792 2632 explorer.exe 34 PID 1172 wrote to memory of 1984 1172 svchost.exe 35 PID 1172 wrote to memory of 1984 1172 svchost.exe 35 PID 1172 wrote to memory of 1984 1172 svchost.exe 35 PID 1172 wrote to memory of 1984 1172 svchost.exe 35 PID 1172 wrote to memory of 1868 1172 svchost.exe 36 PID 1172 wrote to memory of 1868 1172 svchost.exe 36 PID 1172 wrote to memory of 1868 1172 svchost.exe 36 PID 1172 wrote to memory of 1868 1172 svchost.exe 36 PID 1172 wrote to memory of 1480 1172 svchost.exe 39 PID 1172 wrote to memory of 1480 1172 svchost.exe 39 PID 1172 wrote to memory of 1480 1172 svchost.exe 39 PID 1172 wrote to memory of 1480 1172 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.system32exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.system32exe_JC.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\users\admin\appdata\local\temp\neas.system32exe_jc.exec:\users\admin\appdata\local\temp\neas.system32exe_jc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:22 /f6⤵
- Creates scheduled task(s)
PID:1868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:23 /f6⤵
- Creates scheduled task(s)
PID:1480
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD54aac2cfbd4dab7ab69ddd2c35418965a
SHA1ef11af4171a73774ef4224bddaf561fcb9791176
SHA256bb60c30a3d8781b377268997847f7c1726d6c94c3b0c38dd506954b21167fd49
SHA51215a0e1f26ea331a0257cb029a4f6b6539117f7941cc6967fda4f9dc5560b626d9e22a0c4e812399d83e8a86e1d32bb01ec0bf008d15759381e7c538f252338cc
-
Filesize
135KB
MD59ce7d914d92dd114ab8e6aa4e36db928
SHA173a1953f2a1387453691382c9ddc937fc8e36e64
SHA256362dee489fff14f7e028168e8fd4e4ad234be8bcb0a71117e3f6d8d1f012a4ff
SHA5124aec1badf5faf3e900a6ed71a4ded68b69cf8cb06a02c332f50faa32f26574c879153bcc12d589f17910065f0bae066652f4ebe0e8e6b4af7cfef3c70fa54269
-
Filesize
135KB
MD59ce7d914d92dd114ab8e6aa4e36db928
SHA173a1953f2a1387453691382c9ddc937fc8e36e64
SHA256362dee489fff14f7e028168e8fd4e4ad234be8bcb0a71117e3f6d8d1f012a4ff
SHA5124aec1badf5faf3e900a6ed71a4ded68b69cf8cb06a02c332f50faa32f26574c879153bcc12d589f17910065f0bae066652f4ebe0e8e6b4af7cfef3c70fa54269
-
Filesize
135KB
MD5b93a0d03c077091f85927f9235ca525a
SHA1e1593134b758dc8242a3647f11d941f1f5efaf40
SHA2562138d1628d36f539ad872562fb2b29991fa2f2a667edabe357a4ec90f44493cc
SHA512271e32b6d9f24dc09c35e29d36c2e8ba2ddb509fab744f84a3cdd7fcffbc720efab16dc9f6b7db33d79d519b72e55f0becd8980af7d36b1d548f6a1d366c6e9d
-
Filesize
135KB
MD54393b472e85575e14d2a2239ef909af0
SHA187fd7364e97666c11baa4f3af93607e3aa8297a8
SHA25628cc4ce52a873d5b101038d378f011df8e99a8a5ca51f7778f370b64dd37a3ba
SHA51263aad59feec6306caa74a0bd8fdb2204d9ee165ef5d94678387c55fdad92132638e7394c0d057b2cad59687cc5702bcad5537d115d8becdea89456144deae241
-
Filesize
135KB
MD54393b472e85575e14d2a2239ef909af0
SHA187fd7364e97666c11baa4f3af93607e3aa8297a8
SHA25628cc4ce52a873d5b101038d378f011df8e99a8a5ca51f7778f370b64dd37a3ba
SHA51263aad59feec6306caa74a0bd8fdb2204d9ee165ef5d94678387c55fdad92132638e7394c0d057b2cad59687cc5702bcad5537d115d8becdea89456144deae241
-
Filesize
135KB
MD51c8009422fb2184e7f66fabf15d726ea
SHA11932d88f750f4ab4f973f5c48e038f0bf189e21b
SHA256d25e93ef3068a8606cb8c69a5eedd3d34e4e89cf4e49806f373bc2d89f71f54b
SHA51223752f982a6b1b4d86521ee52938ca25fe515ce43c536b442b083df3ed3ece63f738dd22f0367f46a00fb57144b969db4935a8689b40d248c525e706abb11f61
-
Filesize
9.8MB
MD54aac2cfbd4dab7ab69ddd2c35418965a
SHA1ef11af4171a73774ef4224bddaf561fcb9791176
SHA256bb60c30a3d8781b377268997847f7c1726d6c94c3b0c38dd506954b21167fd49
SHA51215a0e1f26ea331a0257cb029a4f6b6539117f7941cc6967fda4f9dc5560b626d9e22a0c4e812399d83e8a86e1d32bb01ec0bf008d15759381e7c538f252338cc
-
Filesize
135KB
MD54393b472e85575e14d2a2239ef909af0
SHA187fd7364e97666c11baa4f3af93607e3aa8297a8
SHA25628cc4ce52a873d5b101038d378f011df8e99a8a5ca51f7778f370b64dd37a3ba
SHA51263aad59feec6306caa74a0bd8fdb2204d9ee165ef5d94678387c55fdad92132638e7394c0d057b2cad59687cc5702bcad5537d115d8becdea89456144deae241
-
Filesize
135KB
MD51c8009422fb2184e7f66fabf15d726ea
SHA11932d88f750f4ab4f973f5c48e038f0bf189e21b
SHA256d25e93ef3068a8606cb8c69a5eedd3d34e4e89cf4e49806f373bc2d89f71f54b
SHA51223752f982a6b1b4d86521ee52938ca25fe515ce43c536b442b083df3ed3ece63f738dd22f0367f46a00fb57144b969db4935a8689b40d248c525e706abb11f61
-
Filesize
135KB
MD59ce7d914d92dd114ab8e6aa4e36db928
SHA173a1953f2a1387453691382c9ddc937fc8e36e64
SHA256362dee489fff14f7e028168e8fd4e4ad234be8bcb0a71117e3f6d8d1f012a4ff
SHA5124aec1badf5faf3e900a6ed71a4ded68b69cf8cb06a02c332f50faa32f26574c879153bcc12d589f17910065f0bae066652f4ebe0e8e6b4af7cfef3c70fa54269
-
Filesize
135KB
MD5b93a0d03c077091f85927f9235ca525a
SHA1e1593134b758dc8242a3647f11d941f1f5efaf40
SHA2562138d1628d36f539ad872562fb2b29991fa2f2a667edabe357a4ec90f44493cc
SHA512271e32b6d9f24dc09c35e29d36c2e8ba2ddb509fab744f84a3cdd7fcffbc720efab16dc9f6b7db33d79d519b72e55f0becd8980af7d36b1d548f6a1d366c6e9d
-
Filesize
9.8MB
MD54aac2cfbd4dab7ab69ddd2c35418965a
SHA1ef11af4171a73774ef4224bddaf561fcb9791176
SHA256bb60c30a3d8781b377268997847f7c1726d6c94c3b0c38dd506954b21167fd49
SHA51215a0e1f26ea331a0257cb029a4f6b6539117f7941cc6967fda4f9dc5560b626d9e22a0c4e812399d83e8a86e1d32bb01ec0bf008d15759381e7c538f252338cc
-
Filesize
9.8MB
MD54aac2cfbd4dab7ab69ddd2c35418965a
SHA1ef11af4171a73774ef4224bddaf561fcb9791176
SHA256bb60c30a3d8781b377268997847f7c1726d6c94c3b0c38dd506954b21167fd49
SHA51215a0e1f26ea331a0257cb029a4f6b6539117f7941cc6967fda4f9dc5560b626d9e22a0c4e812399d83e8a86e1d32bb01ec0bf008d15759381e7c538f252338cc
-
Filesize
135KB
MD59ce7d914d92dd114ab8e6aa4e36db928
SHA173a1953f2a1387453691382c9ddc937fc8e36e64
SHA256362dee489fff14f7e028168e8fd4e4ad234be8bcb0a71117e3f6d8d1f012a4ff
SHA5124aec1badf5faf3e900a6ed71a4ded68b69cf8cb06a02c332f50faa32f26574c879153bcc12d589f17910065f0bae066652f4ebe0e8e6b4af7cfef3c70fa54269
-
Filesize
135KB
MD5b93a0d03c077091f85927f9235ca525a
SHA1e1593134b758dc8242a3647f11d941f1f5efaf40
SHA2562138d1628d36f539ad872562fb2b29991fa2f2a667edabe357a4ec90f44493cc
SHA512271e32b6d9f24dc09c35e29d36c2e8ba2ddb509fab744f84a3cdd7fcffbc720efab16dc9f6b7db33d79d519b72e55f0becd8980af7d36b1d548f6a1d366c6e9d
-
Filesize
135KB
MD54393b472e85575e14d2a2239ef909af0
SHA187fd7364e97666c11baa4f3af93607e3aa8297a8
SHA25628cc4ce52a873d5b101038d378f011df8e99a8a5ca51f7778f370b64dd37a3ba
SHA51263aad59feec6306caa74a0bd8fdb2204d9ee165ef5d94678387c55fdad92132638e7394c0d057b2cad59687cc5702bcad5537d115d8becdea89456144deae241
-
Filesize
135KB
MD54393b472e85575e14d2a2239ef909af0
SHA187fd7364e97666c11baa4f3af93607e3aa8297a8
SHA25628cc4ce52a873d5b101038d378f011df8e99a8a5ca51f7778f370b64dd37a3ba
SHA51263aad59feec6306caa74a0bd8fdb2204d9ee165ef5d94678387c55fdad92132638e7394c0d057b2cad59687cc5702bcad5537d115d8becdea89456144deae241
-
Filesize
135KB
MD51c8009422fb2184e7f66fabf15d726ea
SHA11932d88f750f4ab4f973f5c48e038f0bf189e21b
SHA256d25e93ef3068a8606cb8c69a5eedd3d34e4e89cf4e49806f373bc2d89f71f54b
SHA51223752f982a6b1b4d86521ee52938ca25fe515ce43c536b442b083df3ed3ece63f738dd22f0367f46a00fb57144b969db4935a8689b40d248c525e706abb11f61
-
Filesize
2.4MB
MD5ada0c39d4eacdc81fd84163a95d62079
SHA1207321f1b449985b2d06ed50b989fa6259e4eb8e
SHA25644c3a7e330b54a35a9efa015831392593aa02e7da1460be429d17c3644850e8a
SHA5121afc63db5d2030b76abc19094fc9fef28cc6250bd265294647e65db81f13749c867722924460f7a6021c739f4057f95501f0322cdec28a2101bf94164557a1a5
-
Filesize
270KB
MD59d6429f410597750b2dc2579b2347303
SHA1e35acb15ea52f6cd0587b4ca8da0486b859fd048
SHA256981e42629df751217406e7150477cddc853b79abd6a8568a1566298ed8f7bd59
SHA51246cbfb1e22c3f469bdc80515560448f6f83607fd6974bb68b9c7f86ca10c69878f1312b32c81c0f57b931c43bad80bd46bdf26ab4ffb999abb0b73de27ad7c56