Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe
-
Size
484KB
-
MD5
6558f2354d65e18e6dd92848965ca440
-
SHA1
fb453c960ae29e23f0afff1f584639661fdbe4d5
-
SHA256
51591f35883b685ab8d4629614d39ef3d06a64b3ce44bbfab821ada9be29f8df
-
SHA512
fec62bc7444e18800bad5cff2e00aa60f5916a1c2b69112240cfd8ac6e8de8a5331b754ba1ae8d925dd0dd281b80bce8ce773c5c7bd30898e37942140139f4e2
-
SSDEEP
12288:yLPkCDt1EG2XVekhdeT1ZfTBmYjHYJH7PEzYa:yLPkQ1bqA91Td4JbPEx
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1088 fltMKEYs.exe 2652 ~9EEE.tmp 2964 dcomcont.exe -
Loads dropped DLL 3 IoCs
pid Process 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 1088 fltMKEYs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktmulder = "C:\\Users\\Admin\\AppData\\Roaming\\calcerpt\\fltMKEYs.exe" NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dcomcont.exe NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2588 2940 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1088 fltMKEYs.exe 1264 Explorer.EXE 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe 1264 Explorer.EXE 2964 dcomcont.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1088 fltMKEYs.exe Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2940 wrote to memory of 1088 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 28 PID 2940 wrote to memory of 1088 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 28 PID 2940 wrote to memory of 1088 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 28 PID 2940 wrote to memory of 1088 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 28 PID 1088 wrote to memory of 2652 1088 fltMKEYs.exe 29 PID 1088 wrote to memory of 2652 1088 fltMKEYs.exe 29 PID 1088 wrote to memory of 2652 1088 fltMKEYs.exe 29 PID 1088 wrote to memory of 2652 1088 fltMKEYs.exe 29 PID 2652 wrote to memory of 1264 2652 ~9EEE.tmp 14 PID 2940 wrote to memory of 2588 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 31 PID 2940 wrote to memory of 2588 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 31 PID 2940 wrote to memory of 2588 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 31 PID 2940 wrote to memory of 2588 2940 NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6558f2354d65e18e6dd92848965ca440_JC.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\calcerpt\fltMKEYs.exe"C:\Users\Admin\AppData\Roaming\calcerpt"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\~9EEE.tmp1264 496136 1088 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 2523⤵
- Program crash
PID:2588
-
-
-
C:\Windows\SysWOW64\dcomcont.exeC:\Windows\SysWOW64\dcomcont.exe -s1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06
-
Filesize
484KB
MD51c327e3ef924478beae7f357c4816cd0
SHA14b423d0d6d108f516a6f4ea62ceb294af086a02d
SHA256c69773c421f3fce6c2a90cd4c2559a6768de2294879b1fbf4c086667fa64bef1
SHA512ac8ad19f332145a3d4f9c3dee56ece5ac422b7023d5f804c14b5610b8acca20d0954e2207ee4ef0d8e58494b99b4b32559d7b6605e5a46d186e848a149b03c06