Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

NEAS.a022b...00.exe

windows7-x64

7

NEAS.a022b...00.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 18:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.a022b278364d51809e3668159e432100.exe

  • Size

    463KB

  • MD5

    a022b278364d51809e3668159e432100

  • SHA1

    1d3d170284160dcb9a9fddc6385af21163ba8ccf

  • SHA256

    94058083526fb1238d12551ee0bee9f1f30119324c49fd70672a94706581684a

  • SHA512

    8a20065d82acacd676f253c95b40ed9c07904519b09c0651698b626f5b500cdd5741bd554fa18c9c653247c4e890c04049ee6744e3777428e7e585cc337c0233

  • SSDEEP

    12288:iQUJqcgQs0DcW+smXWvbSed/T7Sdabv8LhBx:iQUxHBDcs/eeN6y+hBx

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.a022b278364d51809e3668159e432100.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.a022b278364d51809e3668159e432100.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1744

Network

  • flag-us
    DNS
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    8.8.8.8:53
    Request
    cen.incredimail.com
    IN A
    Response
    cen.incredimail.com
    IN A
    82.80.204.5
  • flag-us
    DNS
    www5l.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    8.8.8.8:53
    Request
    www5l.incredimail.com
    IN A
    Response
    www5l.incredimail.com
    IN CNAME
    www.incredimail.com
    www.incredimail.com
    IN CNAME
    d11v7akq8vefxt.cloudfront.net
    d11v7akq8vefxt.cloudfront.net
    IN A
    18.239.36.116
    d11v7akq8vefxt.cloudfront.net
    IN A
    18.239.36.91
    d11v7akq8vefxt.cloudfront.net
    IN A
    18.239.36.16
    d11v7akq8vefxt.cloudfront.net
    IN A
    18.239.36.48
  • flag-us
    HEAD
    http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    18.239.36.116:80
    Request
    HEAD /im/imsetup/201107141030/test/tgout/installer//setupscript.7z HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8;Pragma: no-cache
    User-Agent: Mozila
    Host: www5l.incredimail.com
    Content-Length: 0
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: CloudFront
    Date: Sun, 15 Oct 2023 07:08:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Location: https://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    X-Cache: Redirect from cloudfront
    Via: 1.1 2be97027a80b483d863e32bd7fe334e2.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS58-P2
    X-Amz-Cf-Id: j7r9y-8NYLDAxo8DBn8CtRoe9OIUpLjiFV1whswGzHNXVk8L65ekFw==
  • flag-us
    HEAD
    http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    18.239.36.116:80
    Request
    HEAD /im/imsetup/201107141030/test/tgout/installer//setupscript.7z HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8;Pragma: no-cache
    User-Agent: Mozila
    Host: www5l.incredimail.com
    Content-Length: 0
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: CloudFront
    Date: Sun, 15 Oct 2023 07:08:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Location: https://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    X-Cache: Redirect from cloudfront
    Via: 1.1 2be97027a80b483d863e32bd7fe334e2.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS58-P2
    X-Amz-Cf-Id: cAch9uESAcfraLyUyz1TLIErCmyU6a5ZeJPXyw6GzvMUsLTrX9qPUA==
  • flag-us
    HEAD
    http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    18.239.36.116:80
    Request
    HEAD /im/imsetup/201107141030/test/tgout/installer//setupscript.7z HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8;Pragma: no-cache
    User-Agent: Mozila
    Host: www5l.incredimail.com
    Content-Length: 0
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: CloudFront
    Date: Sun, 15 Oct 2023 07:08:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Location: https://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    X-Cache: Redirect from cloudfront
    Via: 1.1 2be97027a80b483d863e32bd7fe334e2.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS58-P2
    X-Amz-Cf-Id: ybZyDJVOpOiwOZSCCol2Xg3SxZgZvEq-ChqJ3q9WK_5eFHy89UWR8A==
  • flag-us
    HEAD
    http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    18.239.36.116:80
    Request
    HEAD /im/imsetup/201107141030/test/tgout/installer//setupscript.7z HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8;Pragma: no-cache
    User-Agent: Mozila
    Host: www5l.incredimail.com
    Content-Length: 0
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: CloudFront
    Date: Sun, 15 Oct 2023 07:08:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Location: https://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    X-Cache: Redirect from cloudfront
    Via: 1.1 2be97027a80b483d863e32bd7fe334e2.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS58-P2
    X-Amz-Cf-Id: mXpuyDMhATx2ugMVw4LWNi_TxSp9wH6E4-GVMFKzkNguNtKEsNPwGQ==
  • flag-us
    DNS
    www5.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    Remote address:
    8.8.8.8:53
    Request
    www5.incredimail.com
    IN A
    Response
    www5.incredimail.com
    IN CNAME
    static-tlv.incredimail.com
    static-tlv.incredimail.com
    IN A
    82.80.204.63
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 18.239.36.116:80
    http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z
    http
    NEAS.a022b278364d51809e3668159e432100.exe
    1.4kB
     2.6kB
     8
    7

    HTTP Request

    HEAD http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z

    HTTP Response

    301

    HTTP Request

    HEAD http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z

    HTTP Response

    301

    HTTP Request

    HEAD http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z

    HTTP Response

    301

    HTTP Request

    HEAD http://www5l.incredimail.com/im/imsetup/201107141030/test/tgout/installer//setupscript.7z

    HTTP Response

    301
  • 82.80.204.63:80
    www5.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    152 B
     3
  • 82.80.204.5:80
    cen.incredimail.com
    NEAS.a022b278364d51809e3668159e432100.exe
    52 B
     1
  • 8.8.8.8:53
    cen.incredimail.com
    dns
    NEAS.a022b278364d51809e3668159e432100.exe
    65 B
     81 B
     1
    1

    DNS Request

    cen.incredimail.com

    DNS Response

    82.80.204.5

  • 8.8.8.8:53
    www5l.incredimail.com
    dns
    NEAS.a022b278364d51809e3668159e432100.exe
    67 B
     192 B
     1
    1

    DNS Request

    www5l.incredimail.com

    DNS Response

    18.239.36.116
    18.239.36.91
    18.239.36.16
    18.239.36.48

  • 8.8.8.8:53
    www5.incredimail.com
    dns
    NEAS.a022b278364d51809e3668159e432100.exe
    66 B
     107 B
     1
    1

    DNS Request

    www5.incredimail.com

    DNS Response

    82.80.204.63

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\ActionEngine.dll
    Filesize

    977KB

    MD5

    e142a0e9faebdc44d4b692e30827bd0f

    SHA1

    ff83ff5dea3e3f2b75b6f2445fd74f12cdc4f9a4

    SHA256

    fc0ef9bd7711fe39fc075d3d239cc14b293b775ecd42e735928b853f0f5c9a70

    SHA512

    67c700f342ee2ae0f0c7d0ec84eac40356620c949b1b3e93fe83edff954a688d847e37be6150491e3f5580a9a419c028c9b35f8baa43455519e5a076527069ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\api.js
    Filesize

    5KB

    MD5

    cad20144ce29f20fecd6c21c5c61dead

    SHA1

    6bbaeb0aae32a3828cb77f8bfd3fb493803f3626

    SHA256

    e68cb263198cf8cf93e5a60be4ff091606be78b0963aca0e519732187ea93e80

    SHA512

    35e0f7c8cb13693d7e3a221f186bd72613544dc75e5355550bd0e7ed7054831258c5a487d20b412ce646313d24b3436baf10597baa8a359a319dbeee26580ad5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\jquery-1.3.2.min.js
    Filesize

    55KB

    MD5

    bb381e2d19d8eace86b34d20759491a5

    SHA1

    3dc9f7c2642efff4482e68c9d9df874bf98f5bcb

    SHA256

    c8370a2d050359e9d505acc411e6f457a49b21360a21e6cbc9229bad3a767899

    SHA512

    abb2ad8b111271a82a04362940a7ab9930883ecb33497a1c53edcdc49f0634af5bf5b1bc7095bd18db26d212b059aece4577f85040b5f49c4982b468fe973c12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\jquery.localisation.min.js
    Filesize

    1KB

    MD5

    f1cf73e00c240e9a4283201291d45a07

    SHA1

    918c49cb6f1de521d91967b2508f19db1f38fea2

    SHA256

    81bce5ff1003c9d5a688102d5d4c603841ed61c32628823dc48d560ec0d42cd2

    SHA512

    2242892434a638a9344c87453c3d2a66a880278dcf66f1516f240131dca767248baf663ffc9365acad26550e5b20a742d8115d5976de3a094d0229d60844788f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\language\splash-strings.js
    Filesize

    446B

    MD5

    157d5a5389521369e8d42bf50dd9e4e5

    SHA1

    32f0877615d73dd0f952dbaf1425e2e61e8082aa

    SHA256

    5688c7509f409b9f06d40f247000833f8318e4d20dbb6a2dff7fdb74df220bed

    SHA512

    75a583cfa7bd4fb4eaa73b3e189a5dba4116479c5ac5c6be8db95bb656b3951013493ada964d8abf4d5140732ae3e0e1e09e9f48622d445460532ec8eef06f1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\splash.html
    Filesize

    1KB

    MD5

    0d0e0532f51af856688ad83abb889fde

    SHA1

    a1949b703816fa1bc60cf9c395d6dbb0f6f5c61c

    SHA256

    a358150647aaf4413fd2738c8ebcc0579b0bd4ccca8ba02738a4332a430f8ec8

    SHA512

    29322e2446ae5a37a34f113be5924121ce7d8fcfc617818f59c407fe7da01153845a947464345d6b86463b18c75d0adae1cc7dd5f17cf2d29584ef9539d8e0df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\splash.js
    Filesize

    946B

    MD5

    354dce57695e99df9e6faba76346496f

    SHA1

    ca364e2daa4a80cfed7412b0f0374f1f82fa7146

    SHA256

    bb39b6b14ae7f032922366943b342f58be120242020b1fa4dbb3310e39928823

    SHA512

    8f34ae59e5502c70659e358d03709cfdfd01ec2128110932910e8de16888857896e86707c279b3f67edb54059a08ab6ce05b742342e825e2894580ae4a4639ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\Gui\translation.js
    Filesize

    6KB

    MD5

    682fea27f4c335defc18be6fb24d5748

    SHA1

    d4a1743d63508d18af4be59232f3d266228648fb

    SHA256

    928571317e90c4d6680931dffaaae85f382069be2bc72b875810ceb1f7c2744f

    SHA512

    ef70ad8c291fe10c8b1d0dc060fc50b4593cf6fabc03a751aa62d5f4e375b1c80184337816a8e50430964960fc56324259f8833707320c7b757e388ecbd28341

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IM_3A33.tmp\instlangs.xml
    Filesize

    17KB

    MD5

    aa91818150cfadb667ae6f914d43dca0

    SHA1

    4411bd0038ccd464ed7597f0540cfe04867b9042

    SHA256

    2aa71646493cf47b38be0920488159b154eaf19193dc4a6ecfa0a6509196c7c5

    SHA512

    dd1310dc52bb6cc4977341dc34fb6a273e1349602a5fb3037e0b0d087b8f0d2d7a04e2db32e2708379758266c31422d27b5a35f5ba068cd7dbdd211b07893ecd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IM_3A33.tmp\ActionEngine.dll
    Filesize

    977KB

    MD5

    e142a0e9faebdc44d4b692e30827bd0f

    SHA1

    ff83ff5dea3e3f2b75b6f2445fd74f12cdc4f9a4

    SHA256

    fc0ef9bd7711fe39fc075d3d239cc14b293b775ecd42e735928b853f0f5c9a70

    SHA512

    67c700f342ee2ae0f0c7d0ec84eac40356620c949b1b3e93fe83edff954a688d847e37be6150491e3f5580a9a419c028c9b35f8baa43455519e5a076527069ae

    Download Submit

  • memory/1744-103-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1744-177-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.