Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

NEAS.apple...JC.exe

windows7-x64

9

NEAS.apple...JC.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2023, 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.applecleaner2exe_JC.exe

  • Size

    3.6MB

  • MD5

    5d55189c4f5b49069859724f34597158

  • SHA1

    c79a67cc70d2a8994d1c1480114c1890ae550f15

  • SHA256

    027d32bf28bf27f41e1a4a883cedf922d0ea1928f5c8024b2702eb70cee6710a

  • SHA512

    bae030f2075d6cdef0ba02533dbd0f5a5ea05a75634af7a7e231c836978e7512e8b237fb6197634b39278383927eec7410b437c52e926623164c3a17b643d00e

  • SSDEEP

    98304:dB92kxJ9+xRXCoSJB56et0JsX+40Kollv09V/9T:dj2KJ9+xRyXJFt0yX+40xNWZN

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.applecleaner2exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.applecleaner2exe_JC.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im Battle.net.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://applecheats.cc/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    978ad444300367369d5736aa35645ae8

    SHA1

    f7132bb36d0a12c8d09bacfc48483eb8f7db6665

    SHA256

    ef3a12e61aa92d7d444332f357bb2b58afdbb9f69921e1c7499a47d0446a41cc

    SHA512

    473b5f87fdd06ab3b225de4a023998b0b9f0f43050ec7f313a14c781f24d2bf675ad7cbeefdbb52a959676ccf0500f987fdd83dd6a66a880304b1369a64d9f54

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9ed9dc75f5abade4d4135288a316c44b

    SHA1

    085f45be6be1ea4a8b5c3c89961a4415d1dd087e

    SHA256

    3414a0efa96f08360d12cdc748189d9e0d4a51e8904729d3f11dad8447c84e51

    SHA512

    8cbbe7ee0153230de04c704e8ce0711153007e3749e11c76c4b45f88d4cd95f40954cc97de2bcd8d877adfe74aa8f294dcb0daaa9d52988a23945e821e042c08

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ac1b2b2c2bcfc8a219a90707557ce332

    SHA1

    3fcd963ed41d68ea2ce817fb2b65fdb5ccc416be

    SHA256

    64e65a22e5c4a36cb0fbf303ceeccd461148f2f0faa86b9914597f3736366619

    SHA512

    4c7e3eec47ebfb959a966e43ac8fc6fbec956caaa4e96030db7c3ddfeed7085fda200fd8f129da9392cadf54545a7631e9ed64f80674c7af0daedc2d8a213a97

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2c67a77dbaae69bee7561fd72409da43

    SHA1

    03ad805e96443359224e61818f93e98d71a664ed

    SHA256

    06ef863bc1186f7050c762768ca6da9606bbb4a933c8a3b6f31596b31ed0234e

    SHA512

    3ee0c0ef15fea0905992ed5d32838a4e6aa23867966df2b5520d444e2f83d93b3e4780d213a3dc4774a314c88749e769c6c8221d42839362be7cf00494e465d6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c0e3429d9d073667733e47ab6e315397

    SHA1

    fd30ca7d53365f7fedbdc0ab3ca3a546a7a48a07

    SHA256

    5e88e3a06b9f87bf41dff283b56b9e352b93730cbb32b51cb02aa89cb3696c46

    SHA512

    5eb0cebce3eac8c520333336f398b54506d77037866bc6b2ccdf2015a5013f3561c0732bd8ecb56fbb2dd221c4bb6138badd3ab7f4e069ced3faf541fe9e36a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    46c24dd285bbf9bf51d9a13ffa3ad02c

    SHA1

    fb934f26fc4292c9cb07d60ff527529a6a8d947f

    SHA256

    1b970bf591adada63610cf5aeaa1d1a88f368ce4700823d7c1876b5123ce4c97

    SHA512

    f696a27ca4e49eb5489a78d0160449d7d17800fe6e75adddca4976de2b2c1c5cd4d047d2f4378e92889d2043214fe50ce370dbe1cde22f6c1f4e03e30372bcc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7d4f1e8cb3c1a613d2871eafc0763878

    SHA1

    585c50ba2b90fce8a1d0df6118e61608f8dcd97d

    SHA256

    58ab8560180fe2845a8942632397e70a3c913365d5c2f76bfddcf4ee104130c0

    SHA512

    4a5a7b879e9201b0d45c52117ec3f9587e937c52a1e90394fae528bfaeeac770fd5d347db97e014b03937b2db7674d19ab1c8eea028136f34f35a36009a96ddc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3f7d975bf0cae8797133c5c6b3f235b5

    SHA1

    84f6078f3884edc580ed0bc3690ff0e8e4933686

    SHA256

    6c9f9c245dc687be1308a70b2c89aeb94044b3ee52beba8ff72cca1d5b454bad

    SHA512

    8f50b0aefaee566b73c72f94469264a35b93638b35108476afcbca6da52f61f8d4c33dee347239d21626e884602278ba795d58d1d2c717373bed25471fc36ec2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    87e2285b6d351bd5548d37b4e4ff07a9

    SHA1

    12045d6fe8dba6c1c662d2d4fffa71325c54609e

    SHA256

    75a9d4681f0953bc18c580783a8508d4bf59ec3bcf533d5e15e89df467e59946

    SHA512

    e67adbbec7ebe8c3b67fec2337ae32a71de874ae920d6be4ffa117d88ad469e87921b0351448549182af23d9f4a9f5bc6e8b15c48374bf49b91f27a1c9b58bf7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cab836c048e680845111d72d82eba43f

    SHA1

    d59d90942a8b8f48373ecbc6835446abf3fbb0f5

    SHA256

    79d63c4a0a7a4b886613ef55ed7c406d479c0a6d4143ae55e3bd0bb7cabe6de6

    SHA512

    4c60a3116f77d730c8d31e065fdc8a9b2577369e7f5fa4169c427de99d93de2ba54a743dfbec12c7c2e1aa4f9b888a804db77e8348e51f06e051f95e08dfb917

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b6d9c16d80c9a53086a3d292f41b38ea

    SHA1

    da3d63aff9bb5b3a2eb06b137cb4eaa30004e7fe

    SHA256

    12a4c51234d419af8bf7c402f72e8a21375bc0bfe8532bd18ea4d7445695ae1f

    SHA512

    666d6632506055553239953422556989fce329e382d619ed38de5313e44171e354285262282a24b62182efe7d2adcc3615524bb498275fb3bba4d944f0bb629a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    39e51ce9d68747f42710b551c5fa052a

    SHA1

    62c747a4f7d253b6db125c045821aabfcf3e1858

    SHA256

    d8d3fcfc9892980b99b94961318c4960e72a10a51ceb920e048c0b77b75e3140

    SHA512

    626e9f3ddec612ffeeec9c6712f0f542818dc42a5be4d2bbd9e68ae23fb44d4987548be3d149df80a8f2d8496db277b1f8ea29ac2445af59de267cc8caf9a966

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA7E3.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarC016.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • memory/2548-0-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-60-0x0000000077680000-0x0000000077829000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2548-59-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-5-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-4-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-3-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-2-0x000000013FE00000-0x000000014079B000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2548-1-0x0000000077680000-0x0000000077829000-memory.dmp

    Filesize

    1.7MB

    Download