Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
04/11/2023, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.54417c8f7f43071297055210009dbd70.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.54417c8f7f43071297055210009dbd70.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.54417c8f7f43071297055210009dbd70.exe
-
Size
212KB
-
MD5
54417c8f7f43071297055210009dbd70
-
SHA1
a32e74221460a3aa11e9c74fd6191142200807ae
-
SHA256
49d0d16b61e9b568f34e9ea12ce970e51faeaf190590199f7898484c83ba69ae
-
SHA512
39476684e545a7be108a71c812d1e191b359b96fb5f2901f77f6cb9a9464a6c436b8528a66129e1e12f0342feb28f4e1ca574f3137fc095747df258a11aa3c4f
-
SSDEEP
6144:p44b7czAEYdlyp6rswaDqKgL08qvFsRcB:m4fiQdlnoxgYlvy+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2704 kymnayk.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\kymnayk.exe NEAS.54417c8f7f43071297055210009dbd70.exe File created C:\PROGRA~3\Mozilla\iuxrktg.dll kymnayk.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3004 NEAS.54417c8f7f43071297055210009dbd70.exe 2704 kymnayk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2704 2356 taskeng.exe 30 PID 2356 wrote to memory of 2704 2356 taskeng.exe 30 PID 2356 wrote to memory of 2704 2356 taskeng.exe 30 PID 2356 wrote to memory of 2704 2356 taskeng.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.54417c8f7f43071297055210009dbd70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.54417c8f7f43071297055210009dbd70.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3004
-
C:\Windows\system32\taskeng.exetaskeng.exe {BAB3304F-5725-4D5C-A151-C748F97AF8D8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\PROGRA~3\Mozilla\kymnayk.exeC:\PROGRA~3\Mozilla\kymnayk.exe -dtmxjcd2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5ec34dd3693566263c6ed63cd3f877e3b
SHA1f4280b52cb7b83b8cd7b7973ec696f7ab0dbe59b
SHA256a810971df96b06949f8781dc138073f7da016c255566b429b90465ff488ef541
SHA512d48b2577a410392a99a2d66384e4bf7a9e0cdc5609b7e2291279664cab6930fd4a130309427cb958c3ff787914de5e13f19654c27e7b89eee5216b3f23dfac02
-
Filesize
212KB
MD5ec34dd3693566263c6ed63cd3f877e3b
SHA1f4280b52cb7b83b8cd7b7973ec696f7ab0dbe59b
SHA256a810971df96b06949f8781dc138073f7da016c255566b429b90465ff488ef541
SHA512d48b2577a410392a99a2d66384e4bf7a9e0cdc5609b7e2291279664cab6930fd4a130309427cb958c3ff787914de5e13f19654c27e7b89eee5216b3f23dfac02