Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

NEAS.2994a...JC.exe

windows7-x64

8

NEAS.2994a...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2994aec8b96490396d0ca334d32a62f0_JC.exe

  • Size

    2.7MB

  • MD5

    2994aec8b96490396d0ca334d32a62f0

  • SHA1

    c48fa6469e84279b305293885d4f7be85ce4d3d8

  • SHA256

    82b8bf8acbfe4bbabe140bc8b0c7b94135983e08685e0b684853c764e89d2b7b

  • SHA512

    5c8e1933d520e37575f72289b8af63e8f865b8fc378ba2c9f5ab6b7090fc87243f8617ae3a4ca1f26e12161ea15c8a50437d79f1a16a68ced09670978a7a3e3a

  • SSDEEP

    49152:jqGRIgg2SirwkF9xdtb43lyGKCafpKkiwnaDahmPzpY4FPyazI:jxxLFfY/KCCpKk9aWMzZyaU

Score
7/10
persistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 57 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2994aec8b96490396d0ca334d32a62f0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2994aec8b96490396d0ca334d32a62f0_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec /i vcredist.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2968
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3212
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DD8440283E727691B87C818240BA7C45
      2⤵
      • Loads dropped DLL
      PID:2128
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e588309.rbs
    Filesize

    73KB

    MD5

    0d5d9577859fc9fdde88ac9cbfc5f3b4

    SHA1

    4386918ae10a6f59da32c5d456fe471fbec7c9a6

    SHA256

    b3e3187bc8274c015122660c94fa0577fd98bf3ba9e5ea702bbaa91786f4de16

    SHA512

    3d31991b374dfdb25ae70de66b7eb61c6a0074b87c9604d24710b3eb555fcb95ad4c1d1bb9d6cbee1f12e5ed395456d7ef92fe161de6b9d75caba1c63384544f

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll.000
    Filesize

    175B

    MD5

    1130c911bf5db4b8f7cf9b6f4b457623

    SHA1

    48e734c4bc1a8b5399bff4954e54b268bde9d54c

    SHA256

    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

    SHA512

    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab
    Filesize

    247KB

    MD5

    cc064d4b81619991de8131a86ad77681

    SHA1

    88d80d86cc20c27d7d2a872af719300bd2bb73f9

    SHA256

    913ee5a1cae3e5a1872b3a5efaaa00c58e4beb692492b138f76967da671b0477

    SHA512

    5aff0eb26cfc187bf58721b2b6d73357d9f1e66d1ac5340ad9ddc08b40ad0eda27a144cb3b650604637a7476c282ded83ed890de98a73ccaf0cc021da3a9eb25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi
    Filesize

    2.6MB

    MD5

    b20bbeb818222b657df49a9cfe4fed79

    SHA1

    3f6508e880b86502773a3275bc9527f046d45502

    SHA256

    91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

    SHA512

    f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

    Download Submit

  • C:\Windows\Installer\MSI8865.tmp
    Filesize

    28KB

    MD5

    85221b3bcba8dbe4b4a46581aa49f760

    SHA1

    746645c92594bfc739f77812d67cfd85f4b92474

    SHA256

    f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

    SHA512

    060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

    Download Submit

  • C:\Windows\Installer\MSI8865.tmp
    Filesize

    28KB

    MD5

    85221b3bcba8dbe4b4a46581aa49f760

    SHA1

    746645c92594bfc739f77812d67cfd85f4b92474

    SHA256

    f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

    SHA512

    060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

    Download Submit

  • C:\Windows\Installer\e588306.msi
    Filesize

    2.6MB

    MD5

    b20bbeb818222b657df49a9cfe4fed79

    SHA1

    3f6508e880b86502773a3275bc9527f046d45502

    SHA256

    91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

    SHA512

    f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    5d716f1846993a908cc3342006ae8186

    SHA1

    a83198cfcb15323de0011c4460576d68bf8663ac

    SHA256

    5ed9c590df2ad19e33050bb26373f2026c242b2999b45ccab88c17119d2fb247

    SHA512

    caffde814d902b06ff979a6102e2b02ff9a59e56774c5b7225d871d0748afefc6b14fecf691bf5217547ded823e8a8a6e9fcfc622eeb43743e462410a23e840c

    Download Submit

  • \??\Volume{fd77526f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a02ccae6-b6bc-43b0-9343-b60ceda11b28}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    833d161c618713b4c0a99c58c4c7b3c0

    SHA1

    d6579ae9591203dcfd72934eaf5c5088e4787d40

    SHA256

    b8eea5fc58afa1011dbf82875c42e1202338ce83b91a3c80d7b46a2c04bd9601

    SHA512

    dbe895600d533e7d661020afe15dd81617db4fd5489a58ca8bd9096dab84f11355720bdddeaa8076b8f27761eaff29a6e8f75e82be27276c769925e7d2034e5d

    Download Submit

  • memory/2324-31-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2324-6-0x0000000001000000-0x0000000001297000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2324-19-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2324-26-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2324-21-0x0000000001000000-0x0000000001297000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2324-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2324-140-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2324-141-0x0000000001000000-0x0000000001297000-memory.dmp

    Filesize

    2.6MB

    Download