Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1380be22df410cedb771834c6c38d310.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.1380be22df410cedb771834c6c38d310.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.1380be22df410cedb771834c6c38d310.exe
-
Size
328KB
-
MD5
1380be22df410cedb771834c6c38d310
-
SHA1
a54e339316224b5821d8f8b879d994f930cb8724
-
SHA256
c06a5dc04ba1bacf5fbbeda165870abe89d79dca8a808391bd9a8526d70834a2
-
SHA512
2c1b17ee88d0138d88a571785e9453a953a64df086e7a6a73dc359170dff15be635b7ba39e21550c8c65f88b6b08be0e995c56b0f4f2a3eb27bcd2390dc18320
-
SSDEEP
6144:gyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:gCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\680e45f2.sys NEAS.1380be22df410cedb771834c6c38d310.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 2596 takeown.exe 2488 icacls.exe 3060 takeown.exe 2464 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\680e45f2\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\680e45f2.sys" NEAS.1380be22df410cedb771834c6c38d310.exe -
Deletes itself 1 IoCs
pid Process 2872 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 2596 takeown.exe 2488 icacls.exe 3060 takeown.exe 2464 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects NEAS.1380be22df410cedb771834c6c38d310.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} NEAS.1380be22df410cedb771834c6c38d310.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} NEAS.1380be22df410cedb771834c6c38d310.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} NEAS.1380be22df410cedb771834c6c38d310.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum NEAS.1380be22df410cedb771834c6c38d310.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum NEAS.1380be22df410cedb771834c6c38d310.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum NEAS.1380be22df410cedb771834c6c38d310.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ws2tcpip.dll NEAS.1380be22df410cedb771834c6c38d310.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll NEAS.1380be22df410cedb771834c6c38d310.exe File created C:\Windows\SysWOW64\wshtcpip.dll NEAS.1380be22df410cedb771834c6c38d310.exe File created C:\Windows\SysWOW64\midimap.dll NEAS.1380be22df410cedb771834c6c38d310.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID NEAS.1380be22df410cedb771834c6c38d310.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "NEAS.1380be22df410cedb771834c6c38d310.exe" NEAS.1380be22df410cedb771834c6c38d310.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL NEAS.1380be22df410cedb771834c6c38d310.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "s7ws9atY.dll" NEAS.1380be22df410cedb771834c6c38d310.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 2148 NEAS.1380be22df410cedb771834c6c38d310.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 464 Process not Found 2148 NEAS.1380be22df410cedb771834c6c38d310.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2148 NEAS.1380be22df410cedb771834c6c38d310.exe Token: SeTakeOwnershipPrivilege 2596 takeown.exe Token: SeTakeOwnershipPrivilege 3060 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2648 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 31 PID 2148 wrote to memory of 2648 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 31 PID 2148 wrote to memory of 2648 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 31 PID 2148 wrote to memory of 2648 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 31 PID 2648 wrote to memory of 2596 2648 cmd.exe 33 PID 2648 wrote to memory of 2596 2648 cmd.exe 33 PID 2648 wrote to memory of 2596 2648 cmd.exe 33 PID 2648 wrote to memory of 2596 2648 cmd.exe 33 PID 2648 wrote to memory of 2488 2648 cmd.exe 34 PID 2648 wrote to memory of 2488 2648 cmd.exe 34 PID 2648 wrote to memory of 2488 2648 cmd.exe 34 PID 2648 wrote to memory of 2488 2648 cmd.exe 34 PID 2148 wrote to memory of 2540 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 35 PID 2148 wrote to memory of 2540 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 35 PID 2148 wrote to memory of 2540 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 35 PID 2148 wrote to memory of 2540 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 35 PID 2540 wrote to memory of 3060 2540 cmd.exe 37 PID 2540 wrote to memory of 3060 2540 cmd.exe 37 PID 2540 wrote to memory of 3060 2540 cmd.exe 37 PID 2540 wrote to memory of 3060 2540 cmd.exe 37 PID 2540 wrote to memory of 2464 2540 cmd.exe 38 PID 2540 wrote to memory of 2464 2540 cmd.exe 38 PID 2540 wrote to memory of 2464 2540 cmd.exe 38 PID 2540 wrote to memory of 2464 2540 cmd.exe 38 PID 2148 wrote to memory of 2872 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 39 PID 2148 wrote to memory of 2872 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 39 PID 2148 wrote to memory of 2872 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 39 PID 2148 wrote to memory of 2872 2148 NEAS.1380be22df410cedb771834c6c38d310.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1380be22df410cedb771834c6c38d310.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1380be22df410cedb771834c6c38d310.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD5ee27ddd2c689f51da1e5999d827f2a45
SHA1f27b3c0330fd5c2478f1cff96ab808cfcbe26c64
SHA256bf10f47d9a792b7b5ffde44a231eecbe83764f48d32a7a9fa9f0a6ec5598f7c2
SHA512b029e778f2a0cd46e8f3514d80ffe196d7432be7658c5b866bf674043d0600ea296a0fa4407f7114d9ed10cbdbb8be737fdf08bd28b1332a2c24308601860f6a
-
Filesize
181B
MD5ee27ddd2c689f51da1e5999d827f2a45
SHA1f27b3c0330fd5c2478f1cff96ab808cfcbe26c64
SHA256bf10f47d9a792b7b5ffde44a231eecbe83764f48d32a7a9fa9f0a6ec5598f7c2
SHA512b029e778f2a0cd46e8f3514d80ffe196d7432be7658c5b866bf674043d0600ea296a0fa4407f7114d9ed10cbdbb8be737fdf08bd28b1332a2c24308601860f6a