Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe
-
Size
484KB
-
MD5
ab7b1cae52fd4459dbcb7597e6311600
-
SHA1
4d57b4c6f09b9251667aaf0716593a6907f964ef
-
SHA256
05315f6abdc85fa17ff3d20a11ab3cfc2c5c7f026439805e77a89b90d730e6ae
-
SHA512
71fa98b3a02711c99e5e96300ce02eadf9ec71e9509c1bb1a111ed5a143a8227181131f353456c3fb3b408354bceae70cae8541ee29d6cc2d60dfcc54caca019
-
SSDEEP
6144:NLTtdYsiZsWnpAwCKCFzEGfuXLZ9U+PhOMUjq+FhBN89psPv0lfWXHIH2pjo132Z:NLPkCDt1EG2XVekhdeTlYeXZjRX4
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1816 MRINpugc.exe 2120 ~45A8.tmp 2668 ktmutvol.exe -
Loads dropped DLL 3 IoCs
pid Process 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 1816 MRINpugc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitsutil = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmhost\\MRINpugc.exe" NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ktmutvol.exe NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2828 2124 WerFault.exe 20 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1816 MRINpugc.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE 2668 ktmutvol.exe 1212 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1816 MRINpugc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1816 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 28 PID 2124 wrote to memory of 1816 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 28 PID 2124 wrote to memory of 1816 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 28 PID 2124 wrote to memory of 1816 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 28 PID 1816 wrote to memory of 2120 1816 MRINpugc.exe 29 PID 1816 wrote to memory of 2120 1816 MRINpugc.exe 29 PID 1816 wrote to memory of 2120 1816 MRINpugc.exe 29 PID 1816 wrote to memory of 2120 1816 MRINpugc.exe 29 PID 2120 wrote to memory of 1212 2120 ~45A8.tmp 16 PID 2124 wrote to memory of 2828 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 31 PID 2124 wrote to memory of 2828 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 31 PID 2124 wrote to memory of 2828 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 31 PID 2124 wrote to memory of 2828 2124 NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ab7b1cae52fd4459dbcb7597e6311600.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\ctfmhost\MRINpugc.exe"C:\Users\Admin\AppData\Roaming\ctfmhost"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\~45A8.tmp1212 495624 1816 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2523⤵
- Program crash
PID:2828
-
-
-
C:\Windows\SysWOW64\ktmutvol.exeC:\Windows\SysWOW64\ktmutvol.exe -s1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200
-
Filesize
484KB
MD58c09664d1ed05546798861ece1ba36a6
SHA14c73a7d0a21709cf6feed8b446d88fa55eaa3818
SHA256ea3da742ccf8138e825ba8bd2294d6f127155b9dbc9697c02485acb338a480a3
SHA51284fe7b2d333e754fca25ea36fec09d6ec57d036be75bda3beeaec27437a5be608f5d688b21a2750451c1c8625f7ecd9cebe33b068ea0596008f5bf6d3c219200