Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
-
Size
210KB
-
MD5
0ac5880cc1862e29e1683a403a64d9d0
-
SHA1
d343babf19fe2fd46b504e7aaf67f1b1ca4d8a20
-
SHA256
cf55ec22d9c296320b624f94156080c872093a47b8018276faffdbb1d47ea042
-
SHA512
6c50fa07d714a85b9d900f23b678f83765af9e8c989bd51e5ae91f8ba1822b2a1857d52ef97a2b0ca4fc03e1af78daa7e5c76ee5dcc94edd6e64869660b2d7e0
-
SSDEEP
3072:HfI+O5HNkDxtVagroHSCpNce3oPOM7TC7BbCk+dZpp5bdAXPVaefq4Nxi/3:45YRjBh3C7dULPiPVBg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3244 svchost.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b59c3911 = "C:\\Windows\\apppatch\\svchost.exe" NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\purylev.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pumyjig.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gatyhub.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyxynyx.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\puzylyp.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lysyfyj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyrysor.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupydeq.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\volykit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe File opened for modification C:\Windows\apppatch\svchost.exe NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe 3244 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe Token: SeSecurityPrivilege 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe Token: SeSecurityPrivilege 3244 svchost.exe Token: SeSecurityPrivilege 3244 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4540 wrote to memory of 3244 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 87 PID 4540 wrote to memory of 3244 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 87 PID 4540 wrote to memory of 3244 4540 NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
210KB
MD597feefa3bf71665799c905b3196f8e34
SHA1bb34e29af9e96cf9fe8ef5b4297d8c1d93ae8e80
SHA2562d94d6e43a7f474f8863bb8b303cc0150593b0f31f8fd327c7db12f2c2534d89
SHA512d3c16b2b4a1ff4916c72ee65f05d83ba6367b003fe825ff0b68c5f1a3668351ae0b10681667014613bd81101088dc3b09ce5e2a1fdfa28fbd6a6433db268ae71
-
Filesize
210KB
MD597feefa3bf71665799c905b3196f8e34
SHA1bb34e29af9e96cf9fe8ef5b4297d8c1d93ae8e80
SHA2562d94d6e43a7f474f8863bb8b303cc0150593b0f31f8fd327c7db12f2c2534d89
SHA512d3c16b2b4a1ff4916c72ee65f05d83ba6367b003fe825ff0b68c5f1a3668351ae0b10681667014613bd81101088dc3b09ce5e2a1fdfa28fbd6a6433db268ae71