Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
-
Size
359KB
-
MD5
f9a7cadb3e1749b73b1304d47ef88070
-
SHA1
10c4632ebb569100abe57450a021ecfe2019de64
-
SHA256
66f18e5d7e077c1c819fba5bb448d235333b6e7ed29166a98ea0764c547d906c
-
SHA512
f0c83c9edc7511b6d4b2f00ba7a5d3aef01ee98f6bfba036fcbc861aaa1aeb695789688d3ed7c7202d15330ba6d9f193d0492b9c35de7a6548f22d249a6a0ce9
-
SSDEEP
6144:hZMaz/pUhrG7PEuXYEpHlN9kAGxsOSVkSqOGHhkeb6IFJ3S7bk9dAMXNhl7:hS0/paG7oCnpkS8qeb6XgUmNhV
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 984 dSDyVhNp5BN0K3a.exe 2624 CTS.exe 2364 dxwsetup.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 dxwsetup.exe 2364 dxwsetup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dSDyVhNp5BN0K3a.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SETFD5B.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SETFD5B.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SETFDBA.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SETFDBA.tmp dxwsetup.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe CTS.exe File opened for modification C:\Windows\Logs\DirectX.log dxwsetup.exe File created C:\Windows\CTS.exe NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe Token: SeDebugPrivilege 2624 CTS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3224 wrote to memory of 984 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 86 PID 3224 wrote to memory of 984 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 86 PID 3224 wrote to memory of 984 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 86 PID 3224 wrote to memory of 2624 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 88 PID 3224 wrote to memory of 2624 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 88 PID 3224 wrote to memory of 2624 3224 NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe 88 PID 984 wrote to memory of 2364 984 dSDyVhNp5BN0K3a.exe 90 PID 984 wrote to memory of 2364 984 dSDyVhNp5BN0K3a.exe 90 PID 984 wrote to memory of 2364 984 dSDyVhNp5BN0K3a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exeC:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:2364
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5e434d25828c32b820288140ba9df1ff4
SHA1706c8b47c963a73cc2f080fc847180438561f020
SHA256096931e0e50fbb3d67ad0ac7d98ccfbfec188b98f5b4e9215e2a777f17486d9f
SHA512bd78d1f73020b0d9f67e2e0e79b3e7553e6232d0d6b8e1a5d36dc96d9aa9751bc4889617b210b3c51bf391b5321ab00a27a21b91546cbb09b4c0cdd3469ff13d
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
Filesize
288KB
MD52cbd6ad183914a0c554f0739069e77d7
SHA17bf35f2afca666078db35ca95130beb2e3782212
SHA2562cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
-
Filesize
288KB
MD52cbd6ad183914a0c554f0739069e77d7
SHA17bf35f2afca666078db35ca95130beb2e3782212
SHA2562cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405