Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe
-
Size
5.4MB
-
MD5
0a704841ef7ff2575bc8e136125162e0
-
SHA1
590979dd1d403ae3b1270a0e7f6d76cc5f838db6
-
SHA256
01b33258c704cce24861298cdf04deb2e7b094114f443433e1733c968f6fe378
-
SHA512
59d3612ca3c6e37b3a62ea366e853afa2313899b8d2f804fb154ba8b54d61e2dd1ef32e3adf8699e57696389b6f7cd11d59e8997aad8d23802a8bbdb7903f608
-
SSDEEP
98304:V8sjkhhRWieWT0ywsagZ9VeXD3L2ESg+5pX0UiJ/jz/5kylU:rj2hRPeWvnzwrLP25pk/JLz/5zm
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate WindowsLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WindowsLoader.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 WindowsLoader.exe -
Loads dropped DLL 2 IoCs
pid Process 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 2092 regsvr32.exe -
resource yara_rule behavioral1/files/0x002e000000015c88-5.dat upx behavioral1/memory/2456-7-0x0000000002DF0000-0x0000000003013000-memory.dmp upx behavioral1/files/0x002e000000015c88-9.dat upx behavioral1/files/0x002e000000015c88-16.dat upx behavioral1/memory/2672-53-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Win = "rundll32 shell32,ShellExec_RunDLL regsvr32 -s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sfx.dll\"" NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS WindowsLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct WindowsLoader.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2672 WindowsLoader.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2672 WindowsLoader.exe Token: SeIncBasePriorityPrivilege 2672 WindowsLoader.exe Token: 33 2672 WindowsLoader.exe Token: SeIncBasePriorityPrivilege 2672 WindowsLoader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2672 WindowsLoader.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2672 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 28 PID 2456 wrote to memory of 2672 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 28 PID 2456 wrote to memory of 2672 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 28 PID 2456 wrote to memory of 2672 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 28 PID 2456 wrote to memory of 2692 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 29 PID 2456 wrote to memory of 2692 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 29 PID 2456 wrote to memory of 2692 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 29 PID 2456 wrote to memory of 2692 2456 NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe 29 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31 PID 2692 wrote to memory of 2092 2692 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exeC:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"3⤵
- Loads dropped DLL
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
-
Filesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
-
Filesize
2.7MB
MD5886163cbb48343bb0a22aa0c16314f05
SHA1c5208edce4a1015156e5eaa48256f1ed80e4c29d
SHA256ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29
SHA51215aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739
-
Filesize
2.7MB
MD5886163cbb48343bb0a22aa0c16314f05
SHA1c5208edce4a1015156e5eaa48256f1ed80e4c29d
SHA256ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29
SHA51215aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739
-
Filesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
-
Filesize
2.7MB
MD5886163cbb48343bb0a22aa0c16314f05
SHA1c5208edce4a1015156e5eaa48256f1ed80e4c29d
SHA256ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29
SHA51215aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739