Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

NEAS.6bfee...JC.exe

windows7-x64

7

NEAS.6bfee...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 19:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe

  • Size

    188KB

  • MD5

    6bfee40e596a6c1159d3b26387bb67d0

  • SHA1

    bf79cef3a20a3d337d2f3f54be0948e6d0363025

  • SHA256

    7d64cc2887a9be7e1740059a02b8b70c8a045aefdfe7ac18e23e9bdcc2cd81db

  • SHA512

    a42907c35c7e78184aa0a3b157c4103f15f376f5a9ba8c7221f0508261637a71630837e43fc69f89c3b483d7b782707ed0f209c07b011695dd2d3a73fc4c3514

  • SSDEEP

    3072:Rc2YlPYqPt7EYjQ9oDJG7zdeGBYIGTPCMJLj9uqgnaIEXvDcGH2abADBS:qf5Pt7VOe7CMJVFgaX/FWabAo

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe
      "C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS.6bfee40e596a6c1159d3b26387bb67d0_JC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4904

Network

  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.22.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.22.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.178.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.178.89.13.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    126.22.238.8.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    126.22.238.8.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    27.178.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    27.178.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe
    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe
    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MWL_DecryptFile.exe
    Filesize

    52KB

    MD5

    f870f701ef885f2ffe92eb9766d8df10

    SHA1

    5ef9d0b3eb778b5fdfe6a30994e1e60f2fd3d612

    SHA256

    903122b7607aaea06fd0d6208f707b75f4d5af8283c412aa2d48c2d3cfd4f291

    SHA512

    3e9d8e38af55505b1a50aeba1bb551bacd4e717fef1323fe8abc17273e40e92acf2789550719e7d72a1bc3cf1cfdf9dc5c2ba278eca4139225340fc25a65c4d7

    Download Submit

  • memory/568-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/568-13-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4904-12-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-15-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-20-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-21-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-27-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.