Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
-
Size
206KB
-
MD5
8265b46825474f08279734d3a1f1bbee
-
SHA1
69cf68dd15309f39677d8fd7795041c275c5653b
-
SHA256
04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7
-
SHA512
d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04
-
SSDEEP
6144:1cfMsSybxMqmdUTBL17G+rhJZj2ndG93:mMxybx9mdUTlAihrWg
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2616 YahooAUService.exe 2632 z6B61.tmp 2816 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe -
Loads dropped DLL 3 IoCs
pid Process 1892 sethc.exe 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 2632 z6B61.tmp -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate\Checksum = "0" YahooAUService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate YahooAUService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate\Version = "0" YahooAUService.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 2632 z6B61.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2216 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 28 PID 2208 wrote to memory of 2216 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 28 PID 2208 wrote to memory of 2216 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 28 PID 2208 wrote to memory of 2216 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 28 PID 2208 wrote to memory of 1892 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 29 PID 2208 wrote to memory of 1892 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 29 PID 2208 wrote to memory of 1892 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 29 PID 2208 wrote to memory of 1892 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 29 PID 2208 wrote to memory of 1892 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 29 PID 2208 wrote to memory of 2632 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 31 PID 2208 wrote to memory of 2632 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 31 PID 2208 wrote to memory of 2632 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 31 PID 2208 wrote to memory of 2632 2208 NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe 31 PID 2632 wrote to memory of 2492 2632 z6B61.tmp 32 PID 2632 wrote to memory of 2492 2632 z6B61.tmp 32 PID 2632 wrote to memory of 2492 2632 z6B61.tmp 32 PID 2632 wrote to memory of 2492 2632 z6B61.tmp 32 PID 2632 wrote to memory of 2816 2632 z6B61.tmp 33 PID 2632 wrote to memory of 2816 2632 z6B61.tmp 33 PID 2632 wrote to memory of 2816 2632 z6B61.tmp 33 PID 2632 wrote to memory of 2816 2632 z6B61.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\sethc.exe"C:\Windows\system32\sethc.exe"2⤵PID:2216
-
-
C:\Windows\SysWOW64\sethc.exe"C:\Windows\system32\sethc.exe"2⤵
- Loads dropped DLL
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\z6B61.tmp"C:\Users\Admin\AppData\Local\Temp\z6B61.tmp" C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\sethc.exe"C:\Windows\system32\sethc.exe"3⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"3⤵
- Executes dropped EXE
PID:2816
-
-
-
C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe"C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe" -silentupdate1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD51f7884a31c80ea799e5a1f06e1b13c3e
SHA1ccd6ed93c240a770b5213366b790c5e45328dfe9
SHA2563877a5fb6ddd09072dbaecdffbbe0b382cf36985a62abcc89b296f78480d0d8d
SHA512eb46615323c8390a31735ba0d09eb65373b9ac953ef89ca815cfed6f468276e0e6b656a75e032c1e29cb971a2c296802aa06e8cddbda073332efa942d637c7e6
-
Filesize
44KB
MD57c3a72d36df62213505924710fcb367b
SHA120d123b009445e3e4644417da4da1b3632e2bdf4
SHA2562c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7
SHA51243247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5
-
Filesize
44KB
MD57c3a72d36df62213505924710fcb367b
SHA120d123b009445e3e4644417da4da1b3632e2bdf4
SHA2562c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7
SHA51243247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5
-
Filesize
36KB
MD5641eca00be4f32012461499d58951157
SHA1f3e294f289ade3bf2b007d7948549a8f9ac97cf2
SHA2569788cc54f91fac2dedac19dea43b07f1a7391d04d1f03ab0353d1957b6962b92
SHA512b73b1c1119289a51dcf8348f5b14d674130c79ff94e0c24482e76fa1cce536a891ba084d6dd3fee37d7affcf6aff745f093ab1f5d2f2396f94944b2c000d32a4
-
Filesize
206KB
MD58265b46825474f08279734d3a1f1bbee
SHA169cf68dd15309f39677d8fd7795041c275c5653b
SHA25604a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7
SHA512d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04
-
Filesize
206KB
MD58265b46825474f08279734d3a1f1bbee
SHA169cf68dd15309f39677d8fd7795041c275c5653b
SHA25604a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7
SHA512d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04
-
Filesize
44KB
MD57c3a72d36df62213505924710fcb367b
SHA120d123b009445e3e4644417da4da1b3632e2bdf4
SHA2562c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7
SHA51243247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5
-
Filesize
36KB
MD5641eca00be4f32012461499d58951157
SHA1f3e294f289ade3bf2b007d7948549a8f9ac97cf2
SHA2569788cc54f91fac2dedac19dea43b07f1a7391d04d1f03ab0353d1957b6962b92
SHA512b73b1c1119289a51dcf8348f5b14d674130c79ff94e0c24482e76fa1cce536a891ba084d6dd3fee37d7affcf6aff745f093ab1f5d2f2396f94944b2c000d32a4
-
Filesize
206KB
MD58265b46825474f08279734d3a1f1bbee
SHA169cf68dd15309f39677d8fd7795041c275c5653b
SHA25604a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7
SHA512d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04