Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
-
Size
261KB
-
MD5
df1be8e4c58f3cf6d724a80a3d18ba60
-
SHA1
b64044ca47c4b3efeb3d1a388d5bb5a22627b748
-
SHA256
682a12ca752f2bdd16cd9ab3de71e44147307eaa88e2a7ced2bc8c28f267cd91
-
SHA512
5d9022825369ebcebf36565cfdc0bdb855239ee29d220e5e0828e1b762a2e051e4d96077242081db1f9b6a97a270ffdf13d36462bca1bb82a738ac713a9abae0
-
SSDEEP
3072:SVHgCc4xGvbwcU9KQ2BBAHmaPxiVojb5EGW:TCc4xGxWKQ2Bonxa
Malware Config
Extracted
Protocol: ftp- Host:
ftp.byethost12.com - Port:
21 - Username:
b12_8082975 - Password:
951753zx
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1972 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\d268e381\jusched.exe NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe File created C:\Program Files (x86)\d268e381\d268e381 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1972 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe 28 PID 2432 wrote to memory of 1972 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe 28 PID 2432 wrote to memory of 1972 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe 28 PID 2432 wrote to memory of 1972 2432 NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files (x86)\d268e381\jusched.exe"C:\Program Files (x86)\d268e381\jusched.exe"2⤵
- Executes dropped EXE
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5134c1d489094d6d3399f65b0e9aebc1f
SHA1612a57fbe6ed3ab9c15b39451171d813314a28d5
SHA25654f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781
SHA512b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed
-
Filesize
261KB
MD5400e34855ec57a36e7ede50b6ec8f080
SHA13b922f5d45df992794bc0a1cf81e4138f63bc84e
SHA2562b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92
SHA51213351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb
-
Filesize
261KB
MD5400e34855ec57a36e7ede50b6ec8f080
SHA13b922f5d45df992794bc0a1cf81e4138f63bc84e
SHA2562b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92
SHA51213351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb
-
Filesize
261KB
MD5400e34855ec57a36e7ede50b6ec8f080
SHA13b922f5d45df992794bc0a1cf81e4138f63bc84e
SHA2562b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92
SHA51213351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb
-
Filesize
261KB
MD5400e34855ec57a36e7ede50b6ec8f080
SHA13b922f5d45df992794bc0a1cf81e4138f63bc84e
SHA2562b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92
SHA51213351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb