Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    125s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2023, 21:23

General

  • Target

    NEAS.702ee218cab1cca6d1c9d68681cef620.exe

  • Size

    5.5MB

  • MD5

    702ee218cab1cca6d1c9d68681cef620

  • SHA1

    798ee2288f421c71062610ec89d44aa2b66c0f0c

  • SHA256

    9a23c61502141ca5a2be7d1649f740041e1c836fbfbb291726fbb083f8e91f34

  • SHA512

    5fdaf8a8416c359bd1d2a4b8d24ab0817145859703061ab121911147e027c0f5bb9a800aa2154ca85398fbf529216f312a0ed5755aa73dba5b7381ce07145d79

  • SSDEEP

    98304:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7c:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7oM

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:2208
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2052
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2868
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:2300
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2516
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1288
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1756
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1848
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1248
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    11.1MB

    MD5

    99e70272ef75fa161ab90d2ff79352f2

    SHA1

    f635cf132b1c8eb7a67e084156612e07eb92aeb8

    SHA256

    15344285369949e53948f21871e2ac3482f66316797569eb53de69a0bee3f143

    SHA512

    8200908f2dbb3a8f1c1f9a3ea1743ab8a782431b6238aad9f9b6d38b10ec3464d6e9f4d756be90e1475132d8d3539d05643f5b296ee90fe57e2038be480693a9

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    16.6MB

    MD5

    61e1b0f49ebfc511c54034ae1db7c73a

    SHA1

    24cc65e4bcaa3e32e417218dac94dd0bf81408eb

    SHA256

    ab457460cb409be125ce96fb43f31d50915db9dcef66973448aa440b98fa1b39

    SHA512

    7fa98620ab8256e0fa0ba6cce83cec58ee3621c8ebf1367ff9b8a6d1ee306871f355eef2234035631e47a5b721013ba28db9bdb55a0a37b74274aa9ba9036b01

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    22.1MB

    MD5

    87ad940d9629f47f0a7ef432be29de61

    SHA1

    146df540518e1cf905bac24b3978a9f20ed66468

    SHA256

    9c3522ae80b12fb6d4046a7142ef59b6518be66ebf2f3f5499523f55b26200ab

    SHA512

    2717cf6bb1c7ad5750290ceb9b36034066db27732a407cfc920cdafbdb34ba79d976931eba9dcd0ff0fb390dece12fdaa8a41d9736274785a2b5269622dbbe35

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    8efe12486864409fbae311e782e263dc

    SHA1

    e7fe92017451e5a228942c5181fdb2bdd2d5951c

    SHA256

    565ae16d0c1339864ad7edae20551bf25fff8626d0ead51f046a1fa8babd518d

    SHA512

    5114517d34ca3ab2114f87139b390d29e0e5a9ad9e4dfb0548df94085bda60658284cf7fed3bb437727dcdc18f7fbd8cce7605a248696ce9720a052530f59059

  • C:\Windows\hosts.exe

    Filesize

    5.5MB

    MD5

    910a94a2c9733f0fd7b3140c9cfb3d38

    SHA1

    4d4414dc0271acbfc0a9c57b4bc10882acaa0191

    SHA256

    b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

    SHA512

    c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

  • C:\Windows\hosts.exe

    Filesize

    5.5MB

    MD5

    910a94a2c9733f0fd7b3140c9cfb3d38

    SHA1

    4d4414dc0271acbfc0a9c57b4bc10882acaa0191

    SHA256

    b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

    SHA512

    c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

  • C:\Windows\hosts.exe

    Filesize

    5.5MB

    MD5

    910a94a2c9733f0fd7b3140c9cfb3d38

    SHA1

    4d4414dc0271acbfc0a9c57b4bc10882acaa0191

    SHA256

    b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

    SHA512

    c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

  • C:\Windows\hosts.exe

    Filesize

    5.5MB

    MD5

    910a94a2c9733f0fd7b3140c9cfb3d38

    SHA1

    4d4414dc0271acbfc0a9c57b4bc10882acaa0191

    SHA256

    b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

    SHA512

    c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

  • C:\windows\hosts.exe

    Filesize

    5.5MB

    MD5

    910a94a2c9733f0fd7b3140c9cfb3d38

    SHA1

    4d4414dc0271acbfc0a9c57b4bc10882acaa0191

    SHA256

    b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

    SHA512

    c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    5.5MB

    MD5

    7410591190cf5d5f0d75f09c6f665b3d

    SHA1

    8d85933a15527eede55a5e28befeabd54115c413

    SHA256

    b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

    SHA512

    ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591