Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06/11/2023, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
-
Size
210KB
-
MD5
0ac5880cc1862e29e1683a403a64d9d0
-
SHA1
d343babf19fe2fd46b504e7aaf67f1b1ca4d8a20
-
SHA256
cf55ec22d9c296320b624f94156080c872093a47b8018276faffdbb1d47ea042
-
SHA512
6c50fa07d714a85b9d900f23b678f83765af9e8c989bd51e5ae91f8ba1822b2a1857d52ef97a2b0ca4fc03e1af78daa7e5c76ee5dcc94edd6e64869660b2d7e0
-
SSDEEP
3072:HfI+O5HNkDxtVagroHSCpNce3oPOM7TC7BbCk+dZpp5bdAXPVaefq4Nxi/3:45YRjBh3C7dULPiPVBg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2796 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\94407a86 = "C:\\Windows\\apppatch\\svchost.exe" NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\purylev.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lysyfyj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gatyhub.com svchost.exe File created C:\Program Files (x86)\Windows Defender\volykit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pumyjig.com svchost.exe File created C:\Program Files (x86)\Windows Defender\puzylyp.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyxynyx.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyrysor.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe File opened for modification C:\Windows\apppatch\svchost.exe NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe Token: SeSecurityPrivilege 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe Token: SeSecurityPrivilege 2796 svchost.exe Token: SeSecurityPrivilege 2796 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2796 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 28 PID 2604 wrote to memory of 2796 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 28 PID 2604 wrote to memory of 2796 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 28 PID 2604 wrote to memory of 2796 2604 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b59b4a9c0f81196158417783cacaec79
SHA1f007ffea643a5ab3fdb58d8005cb9eb441eb2c99
SHA256b937892a72a8cee7feb8730929f31580591fd8c0fc1b98561cc0b9bb707954b3
SHA512a358870ebb9448491214706a1d770ba1d0e69c946a2d03b77cd44bdfd46dcf9de7becc222ea031e3d749ce825f12884fc12e159e4855adbfcee1b82f9ab9f464
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e7dd90b80690187100a055078fa4508c
SHA1c2cbfb76219842c9865e74d65511087d2570b5c1
SHA256ada52d87cf3e1994b3567201e5e5c459d11d5912dcc952998c5dec8d19a34964
SHA51243f31c7401c4c8b66bcbb5b60e85a8a0208fadc964caf8b7c877f0c61fb86fb9c02af2dd1f1ca32412516ee58019172e864c49733c97e4b09d564227e3113fa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e694fe6af4a7e97855e7a09a9be629a
SHA162bf690772689f7bed93d7948906f51f9a4c83da
SHA256e544bfb8072b03a6c7249dfacf9887d155b7c0d191b92955d9ffdcf9cd3ac63c
SHA5124f4aae19cf4c48ae4df171f2c508c07a8c887fb4a36ed658d57802132073366873d28532e368eaa82f3a5dea996515fd55ad0f3b3ec71657a0b4ce972d02cacd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD520b2ea9f5aec78b440975626499878c3
SHA166673c6f6372a75bb8b51507ce3f5c1c5bea7015
SHA2560c9ad013bc4252b402e7dcbeb1917ab5ff9d255db8c599d74b5dd6ec084d9250
SHA512a176621cd9b37fc1c780ef2f28287c0c83463ef49ab4c411e4dc711b55fa3b9e2a45f0c0af9fca2d5c9bb866d843b48e06ee837dc3647be7469304bba9e99a08
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
210KB
MD51d310977d20ab1790e653b0cfe6b882f
SHA1f5bfe65aa9001112f6ad743e51e83baf26e3cbbc
SHA256998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b
SHA512990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e
-
Filesize
210KB
MD51d310977d20ab1790e653b0cfe6b882f
SHA1f5bfe65aa9001112f6ad743e51e83baf26e3cbbc
SHA256998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b
SHA512990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e
-
Filesize
210KB
MD51d310977d20ab1790e653b0cfe6b882f
SHA1f5bfe65aa9001112f6ad743e51e83baf26e3cbbc
SHA256998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b
SHA512990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e
-
Filesize
210KB
MD51d310977d20ab1790e653b0cfe6b882f
SHA1f5bfe65aa9001112f6ad743e51e83baf26e3cbbc
SHA256998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b
SHA512990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e
-
Filesize
210KB
MD51d310977d20ab1790e653b0cfe6b882f
SHA1f5bfe65aa9001112f6ad743e51e83baf26e3cbbc
SHA256998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b
SHA512990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e