Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.521b0...60.exe

windows7-x64

10

NEAS.521b0...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    200s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2023, 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.521b06aa293edcd182bb96d327762360.exe

  • Size

    207KB

  • MD5

    521b06aa293edcd182bb96d327762360

  • SHA1

    31849c52defe64aaba55d04c07d42579aef8cfd1

  • SHA256

    ec7d5fce0da7f0940b8b5d7c96414362392999a45714c573210046a8d9450d7e

  • SHA512

    e5f0894bd79b361491f4b4eb007ff9c86a6bcbb497b4ca248d639b1ef28d204da5c7f6eebacc9ad0b9179655d023bc8ee9b9b794ed8e9c1de60eaca3dfff2154

  • SSDEEP

    3072:MvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unW:MvEN2U+T6i5LirrllHy4HUcMQY6d

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2512
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2892
          • C:\Windows\SysWOW64\at.exe
            at 19:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1848
            • C:\Windows\SysWOW64\at.exe
              at 19:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1720
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {D89A737B-C685-45EC-88E5-00B978EDD88B} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\mrsys.exe
        Filesize

        206KB

        MD5

        ad63e74324ae2b541efd64efab9dc881

        SHA1

        6fa194826a64e0581a03f050b41b0c3bf39de8d2

        SHA256

        bfb7cd34b3d9b24ddc8b8a36e7072077d28dd026e70f263e1ed19ee3c209c464

        SHA512

        e6d998d6c5ad086c1610910adafdb5d4d8f221628dff64f6c1421176097c0d72ac8fc70934eb31ca4c69bd3548845313ed0fd2d8872b1f089b392a8f85cc7d36

        Download Submit

      • C:\Windows\system\explorer.exe
        Filesize

        206KB

        MD5

        4dbca889eddbd40e6f985d7f2af1cd14

        SHA1

        842e52797f5dd5d9ea8f044954e18869203875f2

        SHA256

        2715b2abf70f9054bcf73a03b31993532d1e5f20b2f2210a9f624be7f79cd5b5

        SHA512

        206f2ef52d571cb396e1695931f9e471897e2f64ecca6384954fa9db0090bc1e271de7a2eeb799e29cc481f9c522beae1fc490779b77b04a2eab44092ee7fd3b

        Download Submit

      • C:\Windows\system\explorer.exe
        Filesize

        206KB

        MD5

        4dbca889eddbd40e6f985d7f2af1cd14

        SHA1

        842e52797f5dd5d9ea8f044954e18869203875f2

        SHA256

        2715b2abf70f9054bcf73a03b31993532d1e5f20b2f2210a9f624be7f79cd5b5

        SHA512

        206f2ef52d571cb396e1695931f9e471897e2f64ecca6384954fa9db0090bc1e271de7a2eeb799e29cc481f9c522beae1fc490779b77b04a2eab44092ee7fd3b

        Download Submit

      • C:\Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • C:\Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • C:\Windows\system\svchost.exe
        Filesize

        207KB

        MD5

        5febecce0aa3bb09403db92e1f1c4cc0

        SHA1

        95697d40dbe621610ec9caea5de633601eb23ad5

        SHA256

        7d03fa89691a6e43b47caabb2f9ac217190cbbd81a6803ab6d88910198d0da7f

        SHA512

        66013bcbe1634fe469a053e7c262257ce136e25351a0626dc812383053d0f72bd85a718d25aa399d148215c479147142a5c03b91097cfb6b439a09cfc5ba87fa

        Download Submit

      • C:\Windows\system\svchost.exe
        Filesize

        207KB

        MD5

        5febecce0aa3bb09403db92e1f1c4cc0

        SHA1

        95697d40dbe621610ec9caea5de633601eb23ad5

        SHA256

        7d03fa89691a6e43b47caabb2f9ac217190cbbd81a6803ab6d88910198d0da7f

        SHA512

        66013bcbe1634fe469a053e7c262257ce136e25351a0626dc812383053d0f72bd85a718d25aa399d148215c479147142a5c03b91097cfb6b439a09cfc5ba87fa

        Download Submit

      • \??\c:\windows\system\explorer.exe
        Filesize

        206KB

        MD5

        4dbca889eddbd40e6f985d7f2af1cd14

        SHA1

        842e52797f5dd5d9ea8f044954e18869203875f2

        SHA256

        2715b2abf70f9054bcf73a03b31993532d1e5f20b2f2210a9f624be7f79cd5b5

        SHA512

        206f2ef52d571cb396e1695931f9e471897e2f64ecca6384954fa9db0090bc1e271de7a2eeb799e29cc481f9c522beae1fc490779b77b04a2eab44092ee7fd3b

        Download Submit

      • \??\c:\windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • \??\c:\windows\system\svchost.exe
        Filesize

        207KB

        MD5

        5febecce0aa3bb09403db92e1f1c4cc0

        SHA1

        95697d40dbe621610ec9caea5de633601eb23ad5

        SHA256

        7d03fa89691a6e43b47caabb2f9ac217190cbbd81a6803ab6d88910198d0da7f

        SHA512

        66013bcbe1634fe469a053e7c262257ce136e25351a0626dc812383053d0f72bd85a718d25aa399d148215c479147142a5c03b91097cfb6b439a09cfc5ba87fa

        Download Submit

      • \Windows\system\explorer.exe
        Filesize

        206KB

        MD5

        4dbca889eddbd40e6f985d7f2af1cd14

        SHA1

        842e52797f5dd5d9ea8f044954e18869203875f2

        SHA256

        2715b2abf70f9054bcf73a03b31993532d1e5f20b2f2210a9f624be7f79cd5b5

        SHA512

        206f2ef52d571cb396e1695931f9e471897e2f64ecca6384954fa9db0090bc1e271de7a2eeb799e29cc481f9c522beae1fc490779b77b04a2eab44092ee7fd3b

        Download Submit

      • \Windows\system\explorer.exe
        Filesize

        206KB

        MD5

        4dbca889eddbd40e6f985d7f2af1cd14

        SHA1

        842e52797f5dd5d9ea8f044954e18869203875f2

        SHA256

        2715b2abf70f9054bcf73a03b31993532d1e5f20b2f2210a9f624be7f79cd5b5

        SHA512

        206f2ef52d571cb396e1695931f9e471897e2f64ecca6384954fa9db0090bc1e271de7a2eeb799e29cc481f9c522beae1fc490779b77b04a2eab44092ee7fd3b

        Download Submit

      • \Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • \Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • \Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • \Windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        040ad226fe977eb76f312326d7d7d406

        SHA1

        3d3cf9076d9896e561e4d06366614041e7e6c279

        SHA256

        73e31f37d1dd3da47fe434bc64de8c9a9b7daa304cab93bf2f0361bfc621cd18

        SHA512

        537254870eaa70d75e626df062319b3e65beb2163fa1b84e5ac94e39514fa321259c0913245a0d207427481f9e2bb9725eb40ad5e9bb7551bf18f816aaeb8461

        Download Submit

      • \Windows\system\svchost.exe
        Filesize

        207KB

        MD5

        5febecce0aa3bb09403db92e1f1c4cc0

        SHA1

        95697d40dbe621610ec9caea5de633601eb23ad5

        SHA256

        7d03fa89691a6e43b47caabb2f9ac217190cbbd81a6803ab6d88910198d0da7f

        SHA512

        66013bcbe1634fe469a053e7c262257ce136e25351a0626dc812383053d0f72bd85a718d25aa399d148215c479147142a5c03b91097cfb6b439a09cfc5ba87fa

        Download Submit

      • \Windows\system\svchost.exe
        Filesize

        207KB

        MD5

        5febecce0aa3bb09403db92e1f1c4cc0

        SHA1

        95697d40dbe621610ec9caea5de633601eb23ad5

        SHA256

        7d03fa89691a6e43b47caabb2f9ac217190cbbd81a6803ab6d88910198d0da7f

        SHA512

        66013bcbe1634fe469a053e7c262257ce136e25351a0626dc812383053d0f72bd85a718d25aa399d148215c479147142a5c03b91097cfb6b439a09cfc5ba87fa

        Download Submit

      • memory/2600-15-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2600-58-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2608-41-0x0000000002570000-0x00000000025B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2608-56-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2864-12-0x0000000002510000-0x0000000002550000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2864-0-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2864-17-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2892-53-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download