Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.b63ceee432db98368c63d184cc5b43e0.exe
-
Size
436KB
-
MD5
b63ceee432db98368c63d184cc5b43e0
-
SHA1
d65f91820b8a1bcb184f74bd29b1064318bd1df5
-
SHA256
37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb
-
SHA512
c534dcd220f67078c34c6ca0391c34d357669dfaa05578e26b4663edc97d9bab93125f3f2ed460cfe76c4be1eeea8faf3280b44d8e7d646e70f31b4232a8cbaf
-
SSDEEP
6144:8vEN2U+T6i5LirrllHy4HUcMQY6Pj5q8deoJVP6Y0YB3YFy:OENN+T5xYrllrU7QY6U8zVP6Y53B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2728 explorer.exe 2780 spoolsv.exe 2096 svchost.exe 2788 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 2728 explorer.exe 2728 explorer.exe 2780 spoolsv.exe 2780 spoolsv.exe 2096 svchost.exe 2096 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe NEAS.b63ceee432db98368c63d184cc5b43e0.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2096 svchost.exe 2728 explorer.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe 2728 explorer.exe 2096 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2728 explorer.exe 2096 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 2728 explorer.exe 2728 explorer.exe 2780 spoolsv.exe 2780 spoolsv.exe 2096 svchost.exe 2096 svchost.exe 2788 spoolsv.exe 2788 spoolsv.exe 2728 explorer.exe 2728 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2728 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 28 PID 1396 wrote to memory of 2728 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 28 PID 1396 wrote to memory of 2728 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 28 PID 1396 wrote to memory of 2728 1396 NEAS.b63ceee432db98368c63d184cc5b43e0.exe 28 PID 2728 wrote to memory of 2780 2728 explorer.exe 29 PID 2728 wrote to memory of 2780 2728 explorer.exe 29 PID 2728 wrote to memory of 2780 2728 explorer.exe 29 PID 2728 wrote to memory of 2780 2728 explorer.exe 29 PID 2780 wrote to memory of 2096 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2096 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2096 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2096 2780 spoolsv.exe 30 PID 2096 wrote to memory of 2788 2096 svchost.exe 31 PID 2096 wrote to memory of 2788 2096 svchost.exe 31 PID 2096 wrote to memory of 2788 2096 svchost.exe 31 PID 2096 wrote to memory of 2788 2096 svchost.exe 31 PID 2096 wrote to memory of 2552 2096 svchost.exe 32 PID 2096 wrote to memory of 2552 2096 svchost.exe 32 PID 2096 wrote to memory of 2552 2096 svchost.exe 32 PID 2096 wrote to memory of 2552 2096 svchost.exe 32 PID 2096 wrote to memory of 2896 2096 svchost.exe 36 PID 2096 wrote to memory of 2896 2096 svchost.exe 36 PID 2096 wrote to memory of 2896 2096 svchost.exe 36 PID 2096 wrote to memory of 2896 2096 svchost.exe 36 PID 2096 wrote to memory of 2024 2096 svchost.exe 39 PID 2096 wrote to memory of 2024 2096 svchost.exe 39 PID 2096 wrote to memory of 2024 2096 svchost.exe 39 PID 2096 wrote to memory of 2024 2096 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Windows\SysWOW64\at.exeat 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2552
-
-
C:\Windows\SysWOW64\at.exeat 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2896
-
-
C:\Windows\SysWOW64\at.exeat 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2024
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E202FC12-D8DF-4A6D-A44F-675AF2BAA5A5} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD572bf1dc947e78ce78833e32c625819c7
SHA181e9b16abd00fda866eb753206562a935c98befa
SHA25623cf8279331a71f6986d6d9bb64c0e491ca4cb0e7db6980b2ecabd05cad1dcb6
SHA512e734bb883658cdb722eea0b15abe1ab07031979988402b691d3ace48d582856db1d914192df846bde857f996b4a3ea8ed56c8cc68843e64dcea524855d0c54d9
-
Filesize
436KB
MD516618dbfde03f16835752217c224c539
SHA1ade73cbc510ca1a3af1fd4c8f691da258e7b2a35
SHA25605bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197
SHA512d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244
-
Filesize
436KB
MD516618dbfde03f16835752217c224c539
SHA1ade73cbc510ca1a3af1fd4c8f691da258e7b2a35
SHA25605bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197
SHA512d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5fd2fc113e7f23484052c796f4cab0f32
SHA10b94d96179c081b65eb72d5231e9b176d4649b76
SHA256d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035
SHA5127585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33
-
Filesize
436KB
MD516618dbfde03f16835752217c224c539
SHA1ade73cbc510ca1a3af1fd4c8f691da258e7b2a35
SHA25605bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197
SHA512d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5fd2fc113e7f23484052c796f4cab0f32
SHA10b94d96179c081b65eb72d5231e9b176d4649b76
SHA256d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035
SHA5127585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33
-
Filesize
436KB
MD516618dbfde03f16835752217c224c539
SHA1ade73cbc510ca1a3af1fd4c8f691da258e7b2a35
SHA25605bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197
SHA512d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244
-
Filesize
436KB
MD516618dbfde03f16835752217c224c539
SHA1ade73cbc510ca1a3af1fd4c8f691da258e7b2a35
SHA25605bf15be0803913760c658f6b716ae9e0cc543cd604e2e1f2b9c0477424c8197
SHA512d03c73a1a4d90d8ed0c9f3b76a3d2b9b7d9b16982b048c830926fee362d00ea3dc2a7771f0b817f8bfc82d98965f05d4864d265fb41aaf4aa94211141c131244
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5cad4e6992bc0006cecaa0d44ecbb0012
SHA19954e4e2de5d081d24b940cc53ac3aa7b96854fb
SHA2565444175a1c9dc5d622e57fddc182ff28bf28b743045316f252c9d0480b953b79
SHA512014905882f1256ff53da5285474e37e5a0d39c612cfc237c91d8c9a88f78a1880fb92b079a4f03a139ae03f0ac85ea162b0f72bda54215add17095a5c96e04aa
-
Filesize
436KB
MD5fd2fc113e7f23484052c796f4cab0f32
SHA10b94d96179c081b65eb72d5231e9b176d4649b76
SHA256d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035
SHA5127585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33
-
Filesize
436KB
MD5fd2fc113e7f23484052c796f4cab0f32
SHA10b94d96179c081b65eb72d5231e9b176d4649b76
SHA256d69da19dceb67c03c0c76847f133cceb23fa9c7ee2444bf42762dd2fc3b5d035
SHA5127585e2609c54925653c0deb3959bf49723baaac3ab2e50fe9fc8abb4fde3d03679fe18ddb11a12352b08ecff05e9d921626f9ae13ed3562a7185c494f5653f33