Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
-
Size
98KB
-
MD5
21093638102b2bc9c56e6af2d530aba0
-
SHA1
43847a428bb91644194a13f35bae3ccf33822f1e
-
SHA256
4a40e3fc9e14ec1d3088b933bb7ac1df25200c0a8255710d20e2a9a397e0efca
-
SHA512
e9f3c1341f5bfa9047f3eb4ea18d337492f2a67afe1bc486413662b7fd5d87a1c3840524b8863db0194229e885d18e9b97dd39d26e5f8ed94ecf1c1f5ba5c139
-
SSDEEP
3072:u2bPVlKnQMeEP+8vIjBWpi4rELdC/T5bu:uiKLt+8viBWpTALcu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3064 suvkbwn.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\suvkbwn.exe NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 suvkbwn.exe 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3064 suvkbwn.exe Token: SeDebugPrivilege 1188 Explorer.EXE -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 1500 NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe 3064 suvkbwn.exe 1188 Explorer.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2664 wrote to memory of 3064 2664 taskeng.exe 29 PID 2664 wrote to memory of 3064 2664 taskeng.exe 29 PID 2664 wrote to memory of 3064 2664 taskeng.exe 29 PID 2664 wrote to memory of 3064 2664 taskeng.exe 29 PID 3064 wrote to memory of 1188 3064 suvkbwn.exe 17
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1500
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {53628919-7B0D-48A7-9E3B-B7E476244E9B} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\PROGRA~3\Mozilla\suvkbwn.exeC:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3064
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5dff46345d60003c1dede004384119571
SHA11b6dd25fd5d5984f9146ef56c3154427161124bf
SHA256ae0de03f8b68417c1e431971d39745527803ef6e433dc613fa16fe16e096b1cb
SHA512e03732ca3bb9a90bb528490ee6cfbe8579639f7725d60ac988d0be73c4bd4b295b7d18c7969c81f4c59617bbf22062297fe310d8d46651c2ef352c972f41627a
-
Filesize
98KB
MD5dff46345d60003c1dede004384119571
SHA11b6dd25fd5d5984f9146ef56c3154427161124bf
SHA256ae0de03f8b68417c1e431971d39745527803ef6e433dc613fa16fe16e096b1cb
SHA512e03732ca3bb9a90bb528490ee6cfbe8579639f7725d60ac988d0be73c4bd4b295b7d18c7969c81f4c59617bbf22062297fe310d8d46651c2ef352c972f41627a