Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe
-
Size
376KB
-
MD5
cec3bc2a6f0e1011becd5df92117b710
-
SHA1
86df3f63439875a751ae4644ebe89df53fde3250
-
SHA256
3887ef3c315b9d6f44469d14fe239a7d65c735786fe588f8f8fcec0adb8cd96b
-
SHA512
428572fea7fd12e220f632a803f65a427ec8d9790a65a3b55a29397ab49a6e38431e1f1b61327dd839f97e7645b6d8f7fa5e228f933b9014edb3f70c4a1cee07
-
SSDEEP
6144:jVTarW9Q2dU6VPAKovnQUvmmAF7J77777S40X0p:jVmrW9HZPGvnQUvmmAF7J77777SnX0p
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2164 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\9f1a2bb4\9f1a2bb4 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe File created C:\Program Files (x86)\9f1a2bb4\jusched.exe NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2164 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe 28 PID 2940 wrote to memory of 2164 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe 28 PID 2940 wrote to memory of 2164 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe 28 PID 2940 wrote to memory of 2164 2940 NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cec3bc2a6f0e1011becd5df92117b710_JC.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Program Files (x86)\9f1a2bb4\jusched.exe"C:\Program Files (x86)\9f1a2bb4\jusched.exe"2⤵
- Executes dropped EXE
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5209aa6c14d66621f3aa1cee03a8bf5dc
SHA10f5bce2a29d3306586934b6d846a172078ee8e66
SHA25657ef9e3c809cf3ca41782d4c7119c3ae7e43ccbb1c00d978b745677f14b82c2e
SHA5128b9fb2bcc8e8785a48d3fe212f852c2f108ef2ab20e9e2a61e9bba5857002abe9111e42411bfc573e50c126031b7ef0433bddfa357de2ca0814f7d31157b9c63
-
Filesize
376KB
MD5d06e43d3aed9b1d617f89d2e656d08f0
SHA1697cc7a6483862cf82ada5a9318eb454e93d6998
SHA256e01b53ebf3e1f75c20fd2400e4eeac5e599d6b927dcc75c18d0178d4656eb7ad
SHA512840b6ada197bfbd4eb8d179c211e1ef9981f38fe0699a7a8eff9c578cacab97d22fa38e8371473b0bf247792534f603f78f8ab4a78cccd9abcf5010a65e5e0c1
-
Filesize
376KB
MD5d06e43d3aed9b1d617f89d2e656d08f0
SHA1697cc7a6483862cf82ada5a9318eb454e93d6998
SHA256e01b53ebf3e1f75c20fd2400e4eeac5e599d6b927dcc75c18d0178d4656eb7ad
SHA512840b6ada197bfbd4eb8d179c211e1ef9981f38fe0699a7a8eff9c578cacab97d22fa38e8371473b0bf247792534f603f78f8ab4a78cccd9abcf5010a65e5e0c1
-
Filesize
376KB
MD5d06e43d3aed9b1d617f89d2e656d08f0
SHA1697cc7a6483862cf82ada5a9318eb454e93d6998
SHA256e01b53ebf3e1f75c20fd2400e4eeac5e599d6b927dcc75c18d0178d4656eb7ad
SHA512840b6ada197bfbd4eb8d179c211e1ef9981f38fe0699a7a8eff9c578cacab97d22fa38e8371473b0bf247792534f603f78f8ab4a78cccd9abcf5010a65e5e0c1
-
Filesize
376KB
MD5d06e43d3aed9b1d617f89d2e656d08f0
SHA1697cc7a6483862cf82ada5a9318eb454e93d6998
SHA256e01b53ebf3e1f75c20fd2400e4eeac5e599d6b927dcc75c18d0178d4656eb7ad
SHA512840b6ada197bfbd4eb8d179c211e1ef9981f38fe0699a7a8eff9c578cacab97d22fa38e8371473b0bf247792534f603f78f8ab4a78cccd9abcf5010a65e5e0c1