Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0c898540cdb9004d112eabcdefbec5b0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0c898540cdb9004d112eabcdefbec5b0.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.0c898540cdb9004d112eabcdefbec5b0.exe
-
Size
100KB
-
MD5
0c898540cdb9004d112eabcdefbec5b0
-
SHA1
e27a91efd33ba2de5c6fdef41128e3609d150646
-
SHA256
c078f1b6d75f7997b67ed763942cca52e82ad5fbe423f961b3f9045a2298c2ce
-
SHA512
96ff42da7da66698cc46bb4f724b715b985531e80de7839e2392141b71e9a4fc56112c8121e420006e6ee3f9bdde1dd1f11cfc099b0bc511bd24d6fdd695fb68
-
SSDEEP
1536:UumICujqx2/gc8LeSGHRuQzljOnSk0ddix8mSB4k/U3MCa7gvc+tmccWwL:UutjqxaeLUljOwd8x8Nqp3MCaoVk
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 51181e81.exe -
resource yara_rule behavioral1/files/0x0008000000012027-11.dat aspack_v212_v242 behavioral1/files/0x0008000000012027-8.dat aspack_v212_v242 behavioral1/files/0x0008000000012027-9.dat aspack_v212_v242 behavioral1/files/0x0027000000015c7d-20.dat aspack_v212_v242 behavioral1/files/0x0027000000015cc4-27.dat aspack_v212_v242 behavioral1/files/0x0027000000015cc4-28.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2996 51181e81.exe -
Loads dropped DLL 2 IoCs
pid Process 2996 51181e81.exe 2724 svchost.exe -
resource yara_rule behavioral1/memory/2908-5-0x0000000000AA0000-0x0000000000AC4000-memory.dmp upx behavioral1/memory/2996-13-0x0000000000AA0000-0x0000000000AC4000-memory.dmp upx behavioral1/files/0x0008000000012027-11.dat upx behavioral1/files/0x0008000000012027-8.dat upx behavioral1/files/0x0008000000012027-9.dat upx behavioral1/memory/2996-15-0x0000000000AA0000-0x0000000000AC4000-memory.dmp upx behavioral1/memory/2996-19-0x00000000752A0000-0x0000000075300000-memory.dmp upx behavioral1/files/0x0027000000015c7d-20.dat upx behavioral1/files/0x0027000000015cc4-27.dat upx behavioral1/files/0x0027000000015cc4-28.dat upx behavioral1/memory/2724-30-0x00000000742E0000-0x0000000074304000-memory.dmp upx behavioral1/memory/2724-29-0x00000000742E0000-0x0000000074304000-memory.dmp upx behavioral1/memory/2724-31-0x00000000742E0000-0x0000000074304000-memory.dmp upx behavioral1/memory/2996-33-0x0000000000AA0000-0x0000000000AC4000-memory.dmp upx behavioral1/memory/2724-35-0x00000000742E0000-0x0000000074304000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\000004B4.tmp 51181e81.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 51181e81.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2996 51181e81.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28 PID 2908 wrote to memory of 2996 2908 NEAS.0c898540cdb9004d112eabcdefbec5b0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0c898540cdb9004d112eabcdefbec5b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0c898540cdb9004d112eabcdefbec5b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\51181e81.exeC:\51181e81.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD57d963b95ec32242244d9f6bf304551f1
SHA1d4601268a131bff5a95382802221e79d16056d58
SHA25652236c37dbf9327502317e19bf178b4800a71e624e74ea90e76e819884601f32
SHA512fda7d0d2426f5a27b7d5c4bfa22d8f9c8dfdc491fe8e56569166adb721b95919c85094dd0b510dbb79091645739282f8967f872dab5eb19aec122473b0209f48
-
Filesize
87KB
MD57d963b95ec32242244d9f6bf304551f1
SHA1d4601268a131bff5a95382802221e79d16056d58
SHA25652236c37dbf9327502317e19bf178b4800a71e624e74ea90e76e819884601f32
SHA512fda7d0d2426f5a27b7d5c4bfa22d8f9c8dfdc491fe8e56569166adb721b95919c85094dd0b510dbb79091645739282f8967f872dab5eb19aec122473b0209f48
-
Filesize
87KB
MD57d963b95ec32242244d9f6bf304551f1
SHA1d4601268a131bff5a95382802221e79d16056d58
SHA25652236c37dbf9327502317e19bf178b4800a71e624e74ea90e76e819884601f32
SHA512fda7d0d2426f5a27b7d5c4bfa22d8f9c8dfdc491fe8e56569166adb721b95919c85094dd0b510dbb79091645739282f8967f872dab5eb19aec122473b0209f48
-
Filesize
460B
MD5ff3bd254698f9f8ccbccce9592ffcd06
SHA1b3b76b94f823eb9fff8910d352f3afce2cfd4f80
SHA256a19fe757f0250d74ca8a3629c31379fb87a8a6aafee113ba267db086b8887a18
SHA512589d979079e7b0b26d82907991b7191b20319a5273eac3b7c3c20ef46c2251d4c87f0ac1a6a8a9734d5095d8f1fbb3aa5c0c139b41479634c4bb5fccad63b00e
-
Filesize
87KB
MD515c820896d84d672def8dbdfc9185511
SHA1c765bbca73cf6da1665b6779e2572759d5c188f6
SHA256cef5c69b54651dd8bdc2525a77cf47f9f90d02bed5b20d349b730ecc6022ce3e
SHA512a1daddfd7978e83c35b6d5c1f95b069aa5baf9f455f24a4460b2bae1fde8038d8fbf7746dfac77e1e49f9955000027494e51c4112ac723fbe8deaad2b8181c9f
-
Filesize
87KB
MD515c820896d84d672def8dbdfc9185511
SHA1c765bbca73cf6da1665b6779e2572759d5c188f6
SHA256cef5c69b54651dd8bdc2525a77cf47f9f90d02bed5b20d349b730ecc6022ce3e
SHA512a1daddfd7978e83c35b6d5c1f95b069aa5baf9f455f24a4460b2bae1fde8038d8fbf7746dfac77e1e49f9955000027494e51c4112ac723fbe8deaad2b8181c9f
-
Filesize
87KB
MD515c820896d84d672def8dbdfc9185511
SHA1c765bbca73cf6da1665b6779e2572759d5c188f6
SHA256cef5c69b54651dd8bdc2525a77cf47f9f90d02bed5b20d349b730ecc6022ce3e
SHA512a1daddfd7978e83c35b6d5c1f95b069aa5baf9f455f24a4460b2bae1fde8038d8fbf7746dfac77e1e49f9955000027494e51c4112ac723fbe8deaad2b8181c9f