Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    36s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 18:32

General

  • Target

    NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe

  • Size

    436KB

  • MD5

    6098b9f68a14d92a37e10b5cf897db17

  • SHA1

    420974ecce3f492a3c70a25ba9c0a2413c5836c7

  • SHA256

    da399f36c7296508b17cab83b2c669619cca75b4f8afdb9ce93817b66a272afd

  • SHA512

    47567adc2510e377d6e27e4a6876d97d9f5319773d39d1f810d9d2ddb0abef8a5df3dbe1fe0cf539841b8454719098b76fce54dd80dcace3db344a8ca7135443

  • SSDEEP

    6144:WcNhJgX9z9TB0YRX8nwhKy4K612iXPMX98L6DFuk:phJ6nTOYREYK46zi9lDMk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2268
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\devAB53.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Users\Admin\AppData\Local\Temp\NEAS.6098B9F68A14D92A37E10B5CF897DB17_JC.EXE
        3⤵
        • Executes dropped EXE
        PID:4300
      • C:\WINDOWS\MSWDM.EXE
        -e!C:\Windows\devAB53.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.6098B9F68A14D92A37E10B5CF897DB17_JC.EXE!
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:5020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6098B9F68A14D92A37E10B5CF897DB17_JC.EXE

    Filesize

    436KB

    MD5

    51885f6744ad42861d663f4c394af13b

    SHA1

    91ae188913d251ec5b0640649e0442b860185266

    SHA256

    f2b2f6179c69ff17c40de09e652f82c0801679d6a7122aa06fe26e0d1cb99083

    SHA512

    a420ab9fc65d7c6c39b131a34dbc9ca5f9843cc0c40117ca9137609b60a83d289a26bae8386c5224737e74fd4a33ceec2baf94efcd33be10ab7916534bc7b712

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6098B9F68A14D92A37E10B5CF897DB17_JC.EXE

    Filesize

    436KB

    MD5

    51885f6744ad42861d663f4c394af13b

    SHA1

    91ae188913d251ec5b0640649e0442b860185266

    SHA256

    f2b2f6179c69ff17c40de09e652f82c0801679d6a7122aa06fe26e0d1cb99083

    SHA512

    a420ab9fc65d7c6c39b131a34dbc9ca5f9843cc0c40117ca9137609b60a83d289a26bae8386c5224737e74fd4a33ceec2baf94efcd33be10ab7916534bc7b712

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe

    Filesize

    180KB

    MD5

    af6cdb55f9e419169b784a59ab1f7fc5

    SHA1

    31e3b9d2742eed03c6209a7ff9f7a56a62384b72

    SHA256

    40395ba22b299a55ef82685598efb2fef316a97835d0aea8759274ac3521266c

    SHA512

    cfea00fb62164a790e6f4b9f54e2e6f3975f5e45d0cc5e94b4dbee9d38d6304d3cc970d307842ab9e800bf0597a9f828e22bfb8c0ee8477f79a64230362df4ac

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6098b9f68a14d92a37e10b5cf897db17_JC.exe

    Filesize

    436KB

    MD5

    51885f6744ad42861d663f4c394af13b

    SHA1

    91ae188913d251ec5b0640649e0442b860185266

    SHA256

    f2b2f6179c69ff17c40de09e652f82c0801679d6a7122aa06fe26e0d1cb99083

    SHA512

    a420ab9fc65d7c6c39b131a34dbc9ca5f9843cc0c40117ca9137609b60a83d289a26bae8386c5224737e74fd4a33ceec2baf94efcd33be10ab7916534bc7b712

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\devAB53.tmp

    Filesize

    180KB

    MD5

    af6cdb55f9e419169b784a59ab1f7fc5

    SHA1

    31e3b9d2742eed03c6209a7ff9f7a56a62384b72

    SHA256

    40395ba22b299a55ef82685598efb2fef316a97835d0aea8759274ac3521266c

    SHA512

    cfea00fb62164a790e6f4b9f54e2e6f3975f5e45d0cc5e94b4dbee9d38d6304d3cc970d307842ab9e800bf0597a9f828e22bfb8c0ee8477f79a64230362df4ac