Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
240s -
max time network
282s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/10/2023, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
-
Size
208KB
-
MD5
7b9b9853ef5877b00cc43e9760590ab0
-
SHA1
7b4893137e7518b060ee6a0e185e53d779d841ad
-
SHA256
e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb
-
SHA512
01b4da351de22899f9152375230cb77f7f8a1bdb3de2ebf67971c0abf6b08e5c55d244a7f0e32c48d39c1d0c6ae9f6163616e6ef0ce58740007998ce4f4f4c1b
-
SSDEEP
6144:YwDrqb3DppfVf07P1uxsyAIxh6SqWyKQEj1:Ywi/PNf07P1aQIxh6Sq/KQC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2120 JUF.exe -
Loads dropped DLL 2 IoCs
pid Process 2780 cmd.exe 2780 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\JUF.exe NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe File opened for modification C:\windows\SysWOW64\JUF.exe NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe File created C:\windows\SysWOW64\JUF.exe.bat NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 2120 JUF.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 2120 JUF.exe 2120 JUF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2780 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 27 PID 2776 wrote to memory of 2780 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 27 PID 2776 wrote to memory of 2780 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 27 PID 2776 wrote to memory of 2780 2776 NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe 27 PID 2780 wrote to memory of 2120 2780 cmd.exe 29 PID 2780 wrote to memory of 2120 2780 cmd.exe 29 PID 2780 wrote to memory of 2120 2780 cmd.exe 29 PID 2780 wrote to memory of 2120 2780 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\JUF.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\windows\SysWOW64\JUF.exeC:\windows\system32\JUF.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5dde050bf1a4c2e69b4e127a4e95032ea
SHA14358d6f8277639f5c130f012d7c354bf4bc0b38b
SHA256f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb
SHA512d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd
-
Filesize
70B
MD5d00bd537d8d99408a5d72556c51e62a4
SHA1d41715cd7dbd11bad743cd9bdce51a18fec6f952
SHA256a1c3231c6e6c6af35896edd1d00af6eee79a2a9e4e0f4f715020846e2852c58d
SHA512ed39f8352212f70187c4003b742da0fcc494cc38888a5e108dc0b2c259cf0243e4a05d8d0c4d2c154137eee00b8f18aa9756d7517c5dedcdbb253f7d0b8c1786
-
Filesize
208KB
MD5dde050bf1a4c2e69b4e127a4e95032ea
SHA14358d6f8277639f5c130f012d7c354bf4bc0b38b
SHA256f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb
SHA512d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd
-
Filesize
70B
MD5d00bd537d8d99408a5d72556c51e62a4
SHA1d41715cd7dbd11bad743cd9bdce51a18fec6f952
SHA256a1c3231c6e6c6af35896edd1d00af6eee79a2a9e4e0f4f715020846e2852c58d
SHA512ed39f8352212f70187c4003b742da0fcc494cc38888a5e108dc0b2c259cf0243e4a05d8d0c4d2c154137eee00b8f18aa9756d7517c5dedcdbb253f7d0b8c1786
-
Filesize
208KB
MD5dde050bf1a4c2e69b4e127a4e95032ea
SHA14358d6f8277639f5c130f012d7c354bf4bc0b38b
SHA256f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb
SHA512d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd
-
Filesize
208KB
MD5dde050bf1a4c2e69b4e127a4e95032ea
SHA14358d6f8277639f5c130f012d7c354bf4bc0b38b
SHA256f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb
SHA512d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd