Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 12:36
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe
-
Size
192KB
-
MD5
103b0e3c4d41ea8760f985a4ef2b1fc0
-
SHA1
e9b3f782a60adceff40c7c6ec72a9f533c5d7e00
-
SHA256
bb83a58b15f808f8003a8a1ac5dd4addbc20db91e8960328efe9232a89377cd6
-
SHA512
995edc9913ddf56eec1ec01afa328817f7bce1745f67f4acd68819afa96bc9bdb71443b3cc88b9e1b9964b07b902334a12433ef7b989ab7b8eefffd4294c1ac6
-
SSDEEP
3072:26/chyinW3kBlqSpi9GXgS9uaxjnw89JnszQcJdXRNT:Jin4kBs6i9GXgUxF52dXHT
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2764 jezwark.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\jezwark.exe NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe File created C:\PROGRA~3\Mozilla\gicylsk.dll jezwark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2972 NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe 2764 jezwark.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2764 1676 taskeng.exe 29 PID 1676 wrote to memory of 2764 1676 taskeng.exe 29 PID 1676 wrote to memory of 2764 1676 taskeng.exe 29 PID 1676 wrote to memory of 2764 1676 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.103b0e3c4d41ea8760f985a4ef2b1fc0_JC.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2972
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6205C2A-8F2C-4EE6-BC5A-02E0BF6553D2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\PROGRA~3\Mozilla\jezwark.exeC:\PROGRA~3\Mozilla\jezwark.exe -yvxgvyl2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD56aa8b24cf0ed85bbd90388c0b1a76790
SHA10429dccd96dacd8634caaf81a00de5838f9c5ef2
SHA2561a608e12412c5eae4e71ee803473be1686d6760d6140bd28b6f8cdeab83200fa
SHA5127f0a80b1a55edcb0cc5f1d240101d814c25e7c7030677641209cc197fa99e37b114fd1ba632d3aacfcc26b0527e4a62b444b3df993d87f3e59a67427071ed29f
-
Filesize
192KB
MD56aa8b24cf0ed85bbd90388c0b1a76790
SHA10429dccd96dacd8634caaf81a00de5838f9c5ef2
SHA2561a608e12412c5eae4e71ee803473be1686d6760d6140bd28b6f8cdeab83200fa
SHA5127f0a80b1a55edcb0cc5f1d240101d814c25e7c7030677641209cc197fa99e37b114fd1ba632d3aacfcc26b0527e4a62b444b3df993d87f3e59a67427071ed29f