Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2023, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
Resource
win7-20230831-en
General
-
Target
NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
-
Size
14.3MB
-
MD5
8ef72af893e61f61fa3813627c444a2d
-
SHA1
6f842049f803d49be1f1d2f6dd263380bf85fe0e
-
SHA256
00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59
-
SHA512
86294018c998a2b11503ac8645d6b270016d9e703a0a780a4544f2deecee5c505559f371aa40290f58808bb9a714feaa44f26c5ba12026c18ea8cbc40fccf898
-
SSDEEP
393216:sObVsTKckqLk4OEbeMbppEvlXqn5HBHGRXNe:vbKgqwEbecpIKdgg
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Wine NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe -
resource yara_rule behavioral2/memory/468-7-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-11-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-13-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-15-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-41-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-50-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-55-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-57-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/468-65-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 468 NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 468 NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe 468 NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 468 NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe 468 NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468