Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NEAS.da17f...JC.exe

windows7-x64

10

NEAS.da17f...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.da17f83d947f741ec61df2a41182b1d0_JC.exe

  • Size

    209KB

  • MD5

    da17f83d947f741ec61df2a41182b1d0

  • SHA1

    c62ed6ecf822fa1cbd194577b644fcaa4129d34e

  • SHA256

    aa723f86bd0a2ba235b7422e8956ec88a6b0eb389d43e919875253b9e0465d52

  • SHA512

    478f82cab4cc9a7be3f9bc05daab88f41355ac485bef702ee6ce6470871677ad55ada018b675590caa0e3925940b0b59390a5d2d683777d0ce7393cfad003ccb

  • SSDEEP

    3072:rQcjk9tVRNIcjb4Ryfjijjx14hdeCXHKPJFo9zpE7Di0X0JuLL+o7BlpF9e:rQh9tVRm2kh34hdeCkcG7DEALLlnN

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.da17f83d947f741ec61df2a41182b1d0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.da17f83d947f741ec61df2a41182b1d0_JC.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    ca9de96320480328f2a5699f3bfd501a

    SHA1

    b07491f18bb1909dc2600ff9befc0283ca3d32d5

    SHA256

    b5af2cdf11e639906f4dc057de44fdde2376c6a4f1b0d414f17d8c49be0f1d08

    SHA512

    396a14aa93dae00b984a658cdf7dd51950098507b3eb71e94c366575591ba053a43329907558cffba39ab1c238ab38a9ba74f469909ef013e010e76e277cb5fa

    Download Submit

  • C:\Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    ca9de96320480328f2a5699f3bfd501a

    SHA1

    b07491f18bb1909dc2600ff9befc0283ca3d32d5

    SHA256

    b5af2cdf11e639906f4dc057de44fdde2376c6a4f1b0d414f17d8c49be0f1d08

    SHA512

    396a14aa93dae00b984a658cdf7dd51950098507b3eb71e94c366575591ba053a43329907558cffba39ab1c238ab38a9ba74f469909ef013e010e76e277cb5fa

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    209KB

    MD5

    ca9de96320480328f2a5699f3bfd501a

    SHA1

    b07491f18bb1909dc2600ff9befc0283ca3d32d5

    SHA256

    b5af2cdf11e639906f4dc057de44fdde2376c6a4f1b0d414f17d8c49be0f1d08

    SHA512

    396a14aa93dae00b984a658cdf7dd51950098507b3eb71e94c366575591ba053a43329907558cffba39ab1c238ab38a9ba74f469909ef013e010e76e277cb5fa

    Download Submit

  • \Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    ca9de96320480328f2a5699f3bfd501a

    SHA1

    b07491f18bb1909dc2600ff9befc0283ca3d32d5

    SHA256

    b5af2cdf11e639906f4dc057de44fdde2376c6a4f1b0d414f17d8c49be0f1d08

    SHA512

    396a14aa93dae00b984a658cdf7dd51950098507b3eb71e94c366575591ba053a43329907558cffba39ab1c238ab38a9ba74f469909ef013e010e76e277cb5fa

    Download Submit

  • \Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    ca9de96320480328f2a5699f3bfd501a

    SHA1

    b07491f18bb1909dc2600ff9befc0283ca3d32d5

    SHA256

    b5af2cdf11e639906f4dc057de44fdde2376c6a4f1b0d414f17d8c49be0f1d08

    SHA512

    396a14aa93dae00b984a658cdf7dd51950098507b3eb71e94c366575591ba053a43329907558cffba39ab1c238ab38a9ba74f469909ef013e010e76e277cb5fa

    Download Submit

  • memory/2360-0-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2360-1-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2360-15-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2360-16-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2448-19-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-31-0x00000000023C0000-0x0000000002459000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2448-21-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-23-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-25-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-27-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-29-0x0000000001C80000-0x0000000001D0A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2448-18-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2448-33-0x00000000023C0000-0x0000000002459000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2448-34-0x00000000023C0000-0x0000000002459000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2448-35-0x00000000023C0000-0x0000000002459000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2448-17-0x00000000004E0000-0x0000000000538000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2448-39-0x00000000023C0000-0x0000000002459000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2448-40-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download