Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

NEAS.126d6...60.exe

windows7-x64

8

NEAS.126d6...60.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.126d6e9073f8444dcf9560f96dba2e60.exe

  • Size

    328KB

  • MD5

    126d6e9073f8444dcf9560f96dba2e60

  • SHA1

    23c4585577ebc0f8265775ae9d634dbadea21141

  • SHA256

    70ac00b86b91507d96560d4c4785d64fff0f74085a893844289b11f1d99b3bd7

  • SHA512

    b38373954450698979d6f1b42a543815681407ffdf1ae9d1d006117a92e7657aaff23a505e1a4c870f14951827775e03f7a12a6a07bc50589ce63778d5835901

  • SSDEEP

    6144:yyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:yCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.126d6e9073f8444dcf9560f96dba2e60.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.126d6e9073f8444dcf9560f96dba2e60.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:388
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1256
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
        PID:2060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      Filesize

      181B

      MD5

      10391122ff8e2055b00c4440098ebc88

      SHA1

      e3b41199c25a73c7b980e3a73edb6afe51e273f1

      SHA256

      141d15855fefead79a9718421e2da5b7cb6f5f1d23e9c4e27bb8459fcf76afcb

      SHA512

      061a4d4f4c7b00e498d57177ea8eabb54fbb0d1b3220b2e493a3abeed80d491dfad70e3e5d8dae758d21cc69575ca7b8b5d01b406d647d4bd881138fd790a6d7

      Download Submit

    • memory/4848-0-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4848-1-0x00000000005A0000-0x00000000005C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4848-4-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4848-6-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4848-7-0x00000000005A0000-0x00000000005C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4848-15-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4848-26-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download