Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2023, 20:51

General

  • Target

    NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe

  • Size

    198KB

  • MD5

    000eecf4a8e2d22481e515a215ae0c40

  • SHA1

    9685ff6beb409e38ae909a8bf8b177e9e66a7038

  • SHA256

    5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93

  • SHA512

    49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6

  • SSDEEP

    1536:QMcdBvnPrNQKpxLwW/diJ+ZNikxEYCkAqoYTMCuBFgfav633KhpsO:6vhDLZ/sJ+ukxhCaTNS6

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Disables taskbar notifications via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe
        "C:\Users\Admin\39EB0E4C58B56721\1AE009.exe" 8BC65829
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe
          "C:\Users\Admin\39EB0E4C58B56721\1AE009.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Drops startup file
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:5112
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:5064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe

      Filesize

      198KB

      MD5

      000eecf4a8e2d22481e515a215ae0c40

      SHA1

      9685ff6beb409e38ae909a8bf8b177e9e66a7038

      SHA256

      5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93

      SHA512

      49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6

    • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe

      Filesize

      198KB

      MD5

      000eecf4a8e2d22481e515a215ae0c40

      SHA1

      9685ff6beb409e38ae909a8bf8b177e9e66a7038

      SHA256

      5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93

      SHA512

      49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6

    • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe

      Filesize

      198KB

      MD5

      000eecf4a8e2d22481e515a215ae0c40

      SHA1

      9685ff6beb409e38ae909a8bf8b177e9e66a7038

      SHA256

      5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93

      SHA512

      49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6

    • C:\Users\Admin\39EB0E4C58B56721\1AE009.exe

      Filesize

      198KB

      MD5

      000eecf4a8e2d22481e515a215ae0c40

      SHA1

      9685ff6beb409e38ae909a8bf8b177e9e66a7038

      SHA256

      5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93

      SHA512

      49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ39371N\ErrorPageTemplate[1]

      Filesize

      2KB

      MD5

      f4fe1cb77e758e1ba56b8a8ec20417c5

      SHA1

      f4eda06901edb98633a686b11d02f4925f827bf0

      SHA256

      8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

      SHA512

      62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ39371N\errorPageStrings[1]

      Filesize

      4KB

      MD5

      d65ec06f21c379c87040b83cc1abac6b

      SHA1

      208d0a0bb775661758394be7e4afb18357e46c8b

      SHA256

      a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

      SHA512

      8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

    • memory/2176-19-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/2176-2-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/2176-6-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/2176-4-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/5112-25-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/5112-1249-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/5112-1890-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/5112-1910-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB