Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2023, 03:12

General

  • Target

    NEAS.5e72d33b80162ebe4bfd3ec4d75a4dc0_JC.dll

  • Size

    386KB

  • MD5

    5e72d33b80162ebe4bfd3ec4d75a4dc0

  • SHA1

    d95089e565aa5207fffa5f87e64ee1dc7daca2ee

  • SHA256

    20ea7a8f922be18d0d17a70046a0412d5b209d37cafa612c485cb6659a9195e4

  • SHA512

    49e8f2234815c0f6a1b413e4188312549b07384b17d08ec36fd388a4263b6f92906c9650bc8f16c2aae4849c80892919913d85cec0c8bfbc581f86ea1d3225f0

  • SSDEEP

    12288:7oK3bnT8CzwAxafWXTstYrly4uhZtLPuNcxQXH:8K3bnTieXTsNuNx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e72d33b80162ebe4bfd3ec4d75a4dc0_JC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e72d33b80162ebe4bfd3ec4d75a4dc0_JC.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Users\Admin\AppData\Local\Temp\8117.tmp
        C:\Users\Admin\AppData\Local\Temp\8117.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:3820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 636
        3⤵
        • Program crash
        PID:4660
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2920 -ip 2920
    1⤵
      PID:4168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8117.tmp

      Filesize

      145KB

      MD5

      c610e7ccd6859872c585b2a85d7dc992

      SHA1

      362b3d4b72e3add687c209c79b500b7c6a246d46

      SHA256

      14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

      SHA512

      8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

    • C:\Users\Admin\AppData\Local\Temp\8117.tmp

      Filesize

      145KB

      MD5

      c610e7ccd6859872c585b2a85d7dc992

      SHA1

      362b3d4b72e3add687c209c79b500b7c6a246d46

      SHA256

      14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

      SHA512

      8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

    • memory/2920-0-0x0000000002CB0000-0x0000000002CEC000-memory.dmp

      Filesize

      240KB

    • memory/2920-1-0x0000000002CB0000-0x0000000002CEC000-memory.dmp

      Filesize

      240KB

    • memory/2920-3-0x0000000025800000-0x0000000025865000-memory.dmp

      Filesize

      404KB