Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.4a6e7e12ae447b26cc9f490a324ba1795444987e7a5a602a167ba0716ad8d911.jar
Resource
win7-20231023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.4a6e7e12ae447b26cc9f490a324ba1795444987e7a5a602a167ba0716ad8d911.jar
Resource
win10v2004-20231023-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
NEAS.4a6e7e12ae447b26cc9f490a324ba1795444987e7a5a602a167ba0716ad8d911.jar
-
Size
220KB
-
MD5
3aa80dc27ff698e28751aacc44b6c42b
-
SHA1
75293836c23aec16edb1c565eb3b12721f9ae25f
-
SHA256
4a6e7e12ae447b26cc9f490a324ba1795444987e7a5a602a167ba0716ad8d911
-
SHA512
378903c57694a705cfa9bedab0e15e3105e712128d54eafeee5286b810fc25384f3808d9a0eab82e014cce426720597ef3a46ca5e464a9bafac756b8cce2df6d
-
SSDEEP
6144:8kCHosddmyfyRktOdwfrSSr+9k8raYwhBaSc1SLNgdPAf+:ZzhV+tT+ZGmdof+
Score
7/10
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2228 icacls.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5092 wmic.exe Token: SeSecurityPrivilege 5092 wmic.exe Token: SeTakeOwnershipPrivilege 5092 wmic.exe Token: SeLoadDriverPrivilege 5092 wmic.exe Token: SeSystemProfilePrivilege 5092 wmic.exe Token: SeSystemtimePrivilege 5092 wmic.exe Token: SeProfSingleProcessPrivilege 5092 wmic.exe Token: SeIncBasePriorityPrivilege 5092 wmic.exe Token: SeCreatePagefilePrivilege 5092 wmic.exe Token: SeBackupPrivilege 5092 wmic.exe Token: SeRestorePrivilege 5092 wmic.exe Token: SeShutdownPrivilege 5092 wmic.exe Token: SeDebugPrivilege 5092 wmic.exe Token: SeSystemEnvironmentPrivilege 5092 wmic.exe Token: SeRemoteShutdownPrivilege 5092 wmic.exe Token: SeUndockPrivilege 5092 wmic.exe Token: SeManageVolumePrivilege 5092 wmic.exe Token: 33 5092 wmic.exe Token: 34 5092 wmic.exe Token: 35 5092 wmic.exe Token: 36 5092 wmic.exe Token: SeIncreaseQuotaPrivilege 5092 wmic.exe Token: SeSecurityPrivilege 5092 wmic.exe Token: SeTakeOwnershipPrivilege 5092 wmic.exe Token: SeLoadDriverPrivilege 5092 wmic.exe Token: SeSystemProfilePrivilege 5092 wmic.exe Token: SeSystemtimePrivilege 5092 wmic.exe Token: SeProfSingleProcessPrivilege 5092 wmic.exe Token: SeIncBasePriorityPrivilege 5092 wmic.exe Token: SeCreatePagefilePrivilege 5092 wmic.exe Token: SeBackupPrivilege 5092 wmic.exe Token: SeRestorePrivilege 5092 wmic.exe Token: SeShutdownPrivilege 5092 wmic.exe Token: SeDebugPrivilege 5092 wmic.exe Token: SeSystemEnvironmentPrivilege 5092 wmic.exe Token: SeRemoteShutdownPrivilege 5092 wmic.exe Token: SeUndockPrivilege 5092 wmic.exe Token: SeManageVolumePrivilege 5092 wmic.exe Token: 33 5092 wmic.exe Token: 34 5092 wmic.exe Token: 35 5092 wmic.exe Token: 36 5092 wmic.exe Token: SeIncreaseQuotaPrivilege 3960 wmic.exe Token: SeSecurityPrivilege 3960 wmic.exe Token: SeTakeOwnershipPrivilege 3960 wmic.exe Token: SeLoadDriverPrivilege 3960 wmic.exe Token: SeSystemProfilePrivilege 3960 wmic.exe Token: SeSystemtimePrivilege 3960 wmic.exe Token: SeProfSingleProcessPrivilege 3960 wmic.exe Token: SeIncBasePriorityPrivilege 3960 wmic.exe Token: SeCreatePagefilePrivilege 3960 wmic.exe Token: SeBackupPrivilege 3960 wmic.exe Token: SeRestorePrivilege 3960 wmic.exe Token: SeShutdownPrivilege 3960 wmic.exe Token: SeDebugPrivilege 3960 wmic.exe Token: SeSystemEnvironmentPrivilege 3960 wmic.exe Token: SeRemoteShutdownPrivilege 3960 wmic.exe Token: SeUndockPrivilege 3960 wmic.exe Token: SeManageVolumePrivilege 3960 wmic.exe Token: 33 3960 wmic.exe Token: 34 3960 wmic.exe Token: 35 3960 wmic.exe Token: 36 3960 wmic.exe Token: SeIncreaseQuotaPrivilege 3960 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4356 java.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4356 wrote to memory of 2228 4356 java.exe 92 PID 4356 wrote to memory of 2228 4356 java.exe 92 PID 4356 wrote to memory of 5092 4356 java.exe 106 PID 4356 wrote to memory of 5092 4356 java.exe 106 PID 4356 wrote to memory of 3960 4356 java.exe 108 PID 4356 wrote to memory of 3960 4356 java.exe 108 PID 4356 wrote to memory of 3580 4356 java.exe 110 PID 4356 wrote to memory of 3580 4356 java.exe 110 PID 4356 wrote to memory of 4536 4356 java.exe 112 PID 4356 wrote to memory of 4536 4356 java.exe 112
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\NEAS.4a6e7e12ae447b26cc9f490a324ba1795444987e7a5a602a167ba0716ad8d911.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2228
-
-
C:\Windows\System32\Wbem\wmic.exewmic CPU get ProcessorId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\System32\Wbem\wmic.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get name2⤵PID:3580
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID2⤵PID:4536
-