Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.d8362...1f.exe

windows7-x64

10

NEAS.d8362...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2023, 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe

  • Size

    145KB

  • MD5

    d8362873ab63b6d1228a8b981b16fa1f

  • SHA1

    9b1872d88a7dabbc6ea63c67e3f9b064b3b98e82

  • SHA256

    d6efb5e23cd8124846e34b9adf07e1f12b1e2f06d5a5f7c05b712b26d4c71709

  • SHA512

    8abd8ab4446d9b273d2324f19379633f1d21ae928224191a3f22043f1cc5dd3d18149de03dde8f90fbc4d9f95374285e91891d2e58108f282ba93320783e846a

  • SSDEEP

    768:P/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfL/G:PRsvcdcQjosnvnZ6LQ1E/G

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    145KB

    MD5

    d3fa295d4a630f9d2f8e00e3e291809f

    SHA1

    a497d652f9266b40a502229675010f63e45b86a2

    SHA256

    413fe20c07a7a261064ed31f4a8b45bd37e45464b1ca4ee73463821fee29d30e

    SHA512

    2cca5fdde59f4b2b530d82435874b230f9f9071425d4799bba09e8095491b9e2fc4e361efaa6e4cfa23fac2e010ef9dcdccd31ee3458dd37f79d1d524ab772d8

    Download Submit

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    145KB

    MD5

    d3fa295d4a630f9d2f8e00e3e291809f

    SHA1

    a497d652f9266b40a502229675010f63e45b86a2

    SHA256

    413fe20c07a7a261064ed31f4a8b45bd37e45464b1ca4ee73463821fee29d30e

    SHA512

    2cca5fdde59f4b2b530d82435874b230f9f9071425d4799bba09e8095491b9e2fc4e361efaa6e4cfa23fac2e010ef9dcdccd31ee3458dd37f79d1d524ab772d8

    Download Submit

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    145KB

    MD5

    d3fa295d4a630f9d2f8e00e3e291809f

    SHA1

    a497d652f9266b40a502229675010f63e45b86a2

    SHA256

    413fe20c07a7a261064ed31f4a8b45bd37e45464b1ca4ee73463821fee29d30e

    SHA512

    2cca5fdde59f4b2b530d82435874b230f9f9071425d4799bba09e8095491b9e2fc4e361efaa6e4cfa23fac2e010ef9dcdccd31ee3458dd37f79d1d524ab772d8

    Download Submit

  • memory/3836-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4180-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4180-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download