Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.b0749...40.exe

windows7-x64

7

NEAS.b0749...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.b0749aae554986bfa0d35f20e2f2f740.exe

  • Size

    200KB

  • MD5

    b0749aae554986bfa0d35f20e2f2f740

  • SHA1

    80fe356b51fdd237ddf856ca897fa9e38286d97a

  • SHA256

    384fe222a93548118e8b3173247f69fabcd028e54f6f16a7ee61ae1e89edf38d

  • SHA512

    3d968f553605edc7476c99bd179ef5ae3969471298e848ee064a5fd6f2ef0688805facf078a4c1dc51628a9c5f1f0b3422baf352f389eab802f80cd029a70097

  • SSDEEP

    768:J/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfL/:JRsvcdcQjosnvnZ6LQ1E/

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.b0749aae554986bfa0d35f20e2f2f740.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.b0749aae554986bfa0d35f20e2f2f740.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    200KB

    MD5

    7bf92d1e0196fb774961851d01db3673

    SHA1

    ef30660cc6823a6ba36e6be6e327aa1227565d1c

    SHA256

    0f74a093ac39bd1850330ea7196aff52db5b9a1cb02905e2ac0557cb34ab72b6

    SHA512

    12d8b21b5854e5258011f267d38751f38674390a4264c6bf47986abebdb9a215f0cd2fe91b44385184fcffa07892be00bf68b95a6a1b122cbcb3c5a1384582ee

    Download Submit

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    200KB

    MD5

    7bf92d1e0196fb774961851d01db3673

    SHA1

    ef30660cc6823a6ba36e6be6e327aa1227565d1c

    SHA256

    0f74a093ac39bd1850330ea7196aff52db5b9a1cb02905e2ac0557cb34ab72b6

    SHA512

    12d8b21b5854e5258011f267d38751f38674390a4264c6bf47986abebdb9a215f0cd2fe91b44385184fcffa07892be00bf68b95a6a1b122cbcb3c5a1384582ee

    Download Submit

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    200KB

    MD5

    7bf92d1e0196fb774961851d01db3673

    SHA1

    ef30660cc6823a6ba36e6be6e327aa1227565d1c

    SHA256

    0f74a093ac39bd1850330ea7196aff52db5b9a1cb02905e2ac0557cb34ab72b6

    SHA512

    12d8b21b5854e5258011f267d38751f38674390a4264c6bf47986abebdb9a215f0cd2fe91b44385184fcffa07892be00bf68b95a6a1b122cbcb3c5a1384582ee

    Download Submit

  • memory/760-12-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3208-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3208-11-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download