Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

NEAS.0a704...JC.exe

windows7-x64

7

NEAS.0a704...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2023, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe

  • Size

    5.4MB

  • MD5

    0a704841ef7ff2575bc8e136125162e0

  • SHA1

    590979dd1d403ae3b1270a0e7f6d76cc5f838db6

  • SHA256

    01b33258c704cce24861298cdf04deb2e7b094114f443433e1733c968f6fe378

  • SHA512

    59d3612ca3c6e37b3a62ea366e853afa2313899b8d2f804fb154ba8b54d61e2dd1ef32e3adf8699e57696389b6f7cd11d59e8997aad8d23802a8bbdb7903f608

  • SSDEEP

    98304:V8sjkhhRWieWT0ywsagZ9VeXD3L2ESg+5pX0UiJ/jz/5kylU:rj2hRPeWvnzwrLP25pk/JLz/5zm

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0a704841ef7ff2575bc8e136125162e0_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
        3⤵
        • Loads dropped DLL
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
    Filesize

    3.8MB

    MD5

    323c0fd51071400b51eedb1be90a8188

    SHA1

    0efc35935957c25193bbe9a83ab6caa25a487ada

    SHA256

    2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

    SHA512

    4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
    Filesize

    3.8MB

    MD5

    323c0fd51071400b51eedb1be90a8188

    SHA1

    0efc35935957c25193bbe9a83ab6caa25a487ada

    SHA256

    2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

    SHA512

    4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sfx.dll
    Filesize

    2.7MB

    MD5

    886163cbb48343bb0a22aa0c16314f05

    SHA1

    c5208edce4a1015156e5eaa48256f1ed80e4c29d

    SHA256

    ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29

    SHA512

    15aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sfx.dll
    Filesize

    2.7MB

    MD5

    886163cbb48343bb0a22aa0c16314f05

    SHA1

    c5208edce4a1015156e5eaa48256f1ed80e4c29d

    SHA256

    ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29

    SHA512

    15aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsLoader.exe
    Filesize

    3.8MB

    MD5

    323c0fd51071400b51eedb1be90a8188

    SHA1

    0efc35935957c25193bbe9a83ab6caa25a487ada

    SHA256

    2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

    SHA512

    4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sfx.dll
    Filesize

    2.7MB

    MD5

    886163cbb48343bb0a22aa0c16314f05

    SHA1

    c5208edce4a1015156e5eaa48256f1ed80e4c29d

    SHA256

    ecf37b14689cbf7f2b31cabfa635109ec42ae69a7243b9f07bf86cbb15908e29

    SHA512

    15aa1bd16d8d68c32d6f695467305eff9ff20d3347cca20c51f3eeaa29cb48942aed3f353102c39b1753fcaf9f973a207fdb59e7bdff9e553f929eafe75be739

    Download Submit

  • memory/2092-63-0x00000000023C0000-0x00000000024A4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2092-62-0x00000000023C0000-0x00000000024A4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2092-59-0x00000000023C0000-0x00000000024A4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2092-58-0x00000000022C0000-0x00000000023BE000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/2092-51-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2092-64-0x0000000010000000-0x00000000102A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2092-50-0x0000000010000000-0x00000000102A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2456-7-0x0000000002DF0000-0x0000000003013000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2672-47-0x0000000002930000-0x0000000002941000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2672-53-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2672-39-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2672-31-0x0000000000650000-0x0000000000662000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2672-26-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-19-0x0000000002480000-0x0000000002623000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2672-17-0x0000000000630000-0x0000000000643000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2672-78-0x0000000000670000-0x0000000000680000-memory.dmp

    Filesize

    64KB

    Download