Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
02/11/2023, 16:53
General
-
Target
NEAS.fba527263c3d3a54b46682176c353340.exe
-
Size
364KB
-
MD5
fba527263c3d3a54b46682176c353340
-
SHA1
c440e8892696a2fe89911b4a3f727fff33de37df
-
SHA256
e1445226dc3f625e03416b1b5cdc08ee2f6062fad12dd39ead6e7d26fd9a5a0e
-
SHA512
aa8e6644529e88937ed9859fa6ba484febc2ad9e55b928051415481f48c6bcbbe45ecde0c76ce5be23985ae93f62863f9e61ab2a23b370802c1683197c1ced26
-
SSDEEP
6144:3XP70duMQbXV7Z0V+tbFOLM77OLnFe3HCqxNRmJ4PavntPRRI:D6p8l7btsNePmjvtPRRI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fba527263c3d3a54b46682176c353340.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fba527263c3d3a54b46682176c353340.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jokiig32.exeC:\Windows\system32\Jokiig32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kiomnk32.exeC:\Windows\system32\Kiomnk32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe26⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe30⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gmqjga32.exeC:\Windows\system32\Gmqjga32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hopfadlp.exeC:\Windows\system32\Hopfadlp.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hobcgdjm.exeC:\Windows\system32\Hobcgdjm.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe44⤵
-
C:\Windows\SysWOW64\Headon32.exeC:\Windows\system32\Headon32.exe45⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kadnfkji.exeC:\Windows\system32\Kadnfkji.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lfpcngdo.exeC:\Windows\system32\Lfpcngdo.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lnkgbibj.exeC:\Windows\system32\Lnkgbibj.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mnndhi32.exeC:\Windows\system32\Mnndhi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe58⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Mbnjcg32.exeC:\Windows\system32\Mbnjcg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Nejbaqgo.exeC:\Windows\system32\Nejbaqgo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ongpeejj.exeC:\Windows\system32\Ongpeejj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Olkqnjhd.exeC:\Windows\system32\Olkqnjhd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe67⤵
-
C:\Windows\SysWOW64\Pmfldkei.exeC:\Windows\system32\Pmfldkei.exe68⤵
-
C:\Windows\SysWOW64\Pbcelacq.exeC:\Windows\system32\Pbcelacq.exe69⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe70⤵
-
C:\Windows\SysWOW64\Qbeaba32.exeC:\Windows\system32\Qbeaba32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Qipjokik.exeC:\Windows\system32\Qipjokik.exe72⤵
-
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe74⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe75⤵
-
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe76⤵
-
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe77⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Boohcpgm.exeC:\Windows\system32\Boohcpgm.exe78⤵
-
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe79⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cpcnhbjj.exeC:\Windows\system32\Cpcnhbjj.exe80⤵
-
C:\Windows\SysWOW64\Cohkinob.exeC:\Windows\system32\Cohkinob.exe81⤵
-
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe82⤵
-
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe84⤵
-
C:\Windows\SysWOW64\Dqdgop32.exeC:\Windows\system32\Dqdgop32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dmjgdq32.exeC:\Windows\system32\Dmjgdq32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Eflocepa.exeC:\Windows\system32\Eflocepa.exe87⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ejjgic32.exeC:\Windows\system32\Ejjgic32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe89⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fqfmlm32.exeC:\Windows\system32\Fqfmlm32.exe90⤵
-
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe92⤵
-
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe93⤵
-
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe94⤵
-
C:\Windows\SysWOW64\Gfodpbpl.exeC:\Windows\system32\Gfodpbpl.exe95⤵
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Hjimaole.exeC:\Windows\system32\Hjimaole.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Hpeejfjm.exeC:\Windows\system32\Hpeejfjm.exe98⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hfajlp32.exeC:\Windows\system32\Hfajlp32.exe99⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ipjoee32.exeC:\Windows\system32\Ipjoee32.exe100⤵
-
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe101⤵
-
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe102⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Imbhiial.exeC:\Windows\system32\Imbhiial.exe103⤵
-
C:\Windows\SysWOW64\Idmafc32.exeC:\Windows\system32\Idmafc32.exe104⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Imeeohoi.exeC:\Windows\system32\Imeeohoi.exe105⤵
-
C:\Windows\SysWOW64\Ihkila32.exeC:\Windows\system32\Ihkila32.exe106⤵
-
C:\Windows\SysWOW64\Jpfnqc32.exeC:\Windows\system32\Jpfnqc32.exe107⤵
-
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe108⤵
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe109⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe110⤵
-
C:\Windows\SysWOW64\Jhfihp32.exeC:\Windows\system32\Jhfihp32.exe111⤵
-
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe112⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kgkfil32.exeC:\Windows\system32\Kgkfil32.exe113⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe114⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kgpodk32.exeC:\Windows\system32\Kgpodk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kolaqh32.exeC:\Windows\system32\Kolaqh32.exe116⤵
-
C:\Windows\SysWOW64\Lhdeinhb.exeC:\Windows\system32\Lhdeinhb.exe117⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe119⤵
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe120⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mqkijnkp.exeC:\Windows\system32\Mqkijnkp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-