Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
269s -
max time network
320s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.a55c29117ae89e88594821a99f607f20.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.a55c29117ae89e88594821a99f607f20.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.a55c29117ae89e88594821a99f607f20.exe
-
Size
220KB
-
MD5
a55c29117ae89e88594821a99f607f20
-
SHA1
afd3260767864121001edc729d0892c9c4905949
-
SHA256
2d6c0e0739caa8fb53bf16ecbd9f6cf19b7ab380480f3b72bac5d0cb5833fc17
-
SHA512
870272341a34516980af64721e25f9395281fc5a6b8f772095b1e5a02d1defd146b46944413cb114056f2408b3b3cdb278805bb0e89d4d9b762a18d3e259ca51
-
SSDEEP
3072:XlOcumc7pFeqjQu/LGwnRoak/PWiud3uWHWABIippBC:1OCc3eqjawnRNk/PWiuvBRppBC
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2504 yzgwzlh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\yzgwzlh.exe NEAS.a55c29117ae89e88594821a99f607f20.exe File created C:\PROGRA~3\Mozilla\jhnnyvm.dll yzgwzlh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2636 NEAS.a55c29117ae89e88594821a99f607f20.exe 2504 yzgwzlh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2504 3008 taskeng.exe 28 PID 3008 wrote to memory of 2504 3008 taskeng.exe 28 PID 3008 wrote to memory of 2504 3008 taskeng.exe 28 PID 3008 wrote to memory of 2504 3008 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a55c29117ae89e88594821a99f607f20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a55c29117ae89e88594821a99f607f20.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2636
-
C:\Windows\system32\taskeng.exetaskeng.exe {834D0D08-511E-41A2-B0C4-29E1CBEC3FF9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\PROGRA~3\Mozilla\yzgwzlh.exeC:\PROGRA~3\Mozilla\yzgwzlh.exe -chuvxnb2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD5e0c312ea6b499aaa54840aed73cf3d1b
SHA1a3ce550a965643be0d44c54837b944f9540d4e95
SHA256c0ce76e018cc5202c8f712fd5d2e8347200d13205c4a4f65329cf02505e4fc82
SHA51288216a78275b0b2a4020f63b3ecd6aacbd68d77f2573f010cca3571f494d152e200d2bb13f1d72c846abe37e935cfe26eb462460487e984bcc3ea4333db47aa1
-
Filesize
220KB
MD5e0c312ea6b499aaa54840aed73cf3d1b
SHA1a3ce550a965643be0d44c54837b944f9540d4e95
SHA256c0ce76e018cc5202c8f712fd5d2e8347200d13205c4a4f65329cf02505e4fc82
SHA51288216a78275b0b2a4020f63b3ecd6aacbd68d77f2573f010cca3571f494d152e200d2bb13f1d72c846abe37e935cfe26eb462460487e984bcc3ea4333db47aa1