Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
-
Size
208KB
-
MD5
68dc620ba38c4feed9d40902bdb58e20
-
SHA1
710c5ab2c024fbd85e98e2ae4739d4bfe03fa8bd
-
SHA256
6139873fb7d4f5918a4f2b56dbc49d943c33276d1b453fac2065dfd1cd764601
-
SHA512
c0a7ae0d293cd3f90e8483b09a775b7036e29937134d6ce26cee0870271fb91c4d6c09eeecdbb99652c735d0f8accda83778d8d287c78f197d1297689f8c8526
-
SSDEEP
6144:0ZWia9ubuBsyGvMwlvaB8Mi5vz9IGePA+hq5:iquCuygMQjd5vJIBP1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2088 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\be20f6c2 = "C:\\Windows\\apppatch\\svchost.exe" NEAS.68dc620ba38c4feed9d40902bdb58e20.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\lysyfyj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\volykit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\puzylyp.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyrysor.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\purylev.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gatyhub.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vojyqem.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe NEAS.68dc620ba38c4feed9d40902bdb58e20.exe File opened for modification C:\Windows\apppatch\svchost.exe NEAS.68dc620ba38c4feed9d40902bdb58e20.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2088 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe Token: SeSecurityPrivilege 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe Token: SeSecurityPrivilege 2088 svchost.exe Token: SeSecurityPrivilege 2088 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 852 wrote to memory of 2088 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe 28 PID 852 wrote to memory of 2088 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe 28 PID 852 wrote to memory of 2088 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe 28 PID 852 wrote to memory of 2088 852 NEAS.68dc620ba38c4feed9d40902bdb58e20.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.68dc620ba38c4feed9d40902bdb58e20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.68dc620ba38c4feed9d40902bdb58e20.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f4bdf7f477d4f08fd449336d8ecf050d
SHA1dc6172b52eddc99d834bf22994e0ea8d9f380c35
SHA256511c1659c3bdbd1f78c215a6dd751ab358cb15aa76f9fb71fbc5d068a60b0f75
SHA5129d6d09666252d2852b8ffd5c207076fc0c198372aebc32c41b3bed5c4fa569ccdc65709f4fb46839e0b29721b6a69ec82ff982c1eba0dfcc58aa6beed5530c72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c552e11a06339d54a7147743ac4dd063
SHA139324be33dae6d5d3b2b1a2ce15749a3d13984ef
SHA2564e0a2811b38687fbdbbcdfbb8e8c4be1d35f728ceec6b1a8d6f41a2888ef4568
SHA5129187899c2576463b8c391a81af0bc53b9057e8e8cb64422e4cbbcbeb1da43bd2025c559be19c51c3827ffa8d6b79a81ee21a8521d0f2f78b94e2a023d28fbf73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f3ad3bc46272b139123c6497b7188173
SHA17ee5880ab1732352bd3cb8c1e8249374f80567b1
SHA25692daf4f7f12e15a98ba55cc07f0abf42b7d8535892bbee6a4b0f5c2433054b23
SHA5122dccf679cb8b7bfe735728fb805ecdf73a46a3663e85f7907b2a25a426dee95949848474df224a3c3da2eaee0bdd227067c60e603129b22cdc8cb6831955de9c
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
208KB
MD5af196d1259cbc59fdfdfa83a2931465d
SHA1fb10b123687cb84801fa8ef808dd82e393bfaa4c
SHA256600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4
SHA51211cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070
-
Filesize
208KB
MD5af196d1259cbc59fdfdfa83a2931465d
SHA1fb10b123687cb84801fa8ef808dd82e393bfaa4c
SHA256600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4
SHA51211cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070
-
Filesize
208KB
MD5af196d1259cbc59fdfdfa83a2931465d
SHA1fb10b123687cb84801fa8ef808dd82e393bfaa4c
SHA256600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4
SHA51211cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070
-
Filesize
208KB
MD5af196d1259cbc59fdfdfa83a2931465d
SHA1fb10b123687cb84801fa8ef808dd82e393bfaa4c
SHA256600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4
SHA51211cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070
-
Filesize
208KB
MD5af196d1259cbc59fdfdfa83a2931465d
SHA1fb10b123687cb84801fa8ef808dd82e393bfaa4c
SHA256600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4
SHA51211cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070