Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3ac16f9262...AS.exe

windows7-x64

7

3ac16f9262...AS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac16f92621f818815ad14b15e2cffd0_NEAS.exe

  • Size

    12KB

  • MD5

    3ac16f92621f818815ad14b15e2cffd0

  • SHA1

    530e6e6d087ba618f85b4a10d34f971546dae60a

  • SHA256

    b471e7ce97113007617763a33db2373103a929dd78b6c5e9ea0ca6ff99365995

  • SHA512

    42324105b22c801e46745b4276897be6c3c8421f952d8ce13dfd4fa7eabd60a7acb48ce8df137121a5d979cab1ac95f603417e5dc0625ade90857cab3f4d6493

  • SSDEEP

    384:2L7li/2zdq2DcEQvdhcJKLTp/NK9xabia:w9M/Q9cOa

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4mp14zxn\4mp14zxn.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43E2FCA552C74FB784E158EE822B86F4.TMP"
        3⤵
          PID:2624
      • C:\Users\Admin\AppData\Local\Temp\tmp1BBC.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1BBC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4mp14zxn\4mp14zxn.0.vb
      Filesize

      2KB

      MD5

      c8dbd612fdbaf98e936d6940e4fb9d08

      SHA1

      187b6e0f04ce21596e707486b204ac489e26e785

      SHA256

      9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04

      SHA512

      c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4mp14zxn\4mp14zxn.cmdline
      Filesize

      273B

      MD5

      262405209c8d66152df520ee181a1d4d

      SHA1

      62fa1550cf4a3214c976794ba7f00e60599173d6

      SHA256

      88cffafcf45ecb70a344d08c4b59f0688a40ab4981b73ef68d4d65445bf4ac51

      SHA512

      a4fc5ae55ef9a8ae0d5047f602ca248a88e1828fbd45247ce034fb058a91551d7cdc0b23556e30ee0f68c2ebf3dc34abc438e70cb29be7a5d882389b31a22f90

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      291ce671e59dd15cd582a80bf5f766c0

      SHA1

      90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8

      SHA256

      a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253

      SHA512

      c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1CF3.tmp
      Filesize

      1KB

      MD5

      5c3421576d25ed18029768089b78f1fc

      SHA1

      69913f54ab456960da0fe5192245e1a7102b4f64

      SHA256

      5538261594acbdf1bf36d95edec65c2c122d8fb242b146190dc4175d5ec94bdf

      SHA512

      83fa95fd37f90bf731ca843b5b8b61e209a0e64d36ddd59934a3dfac20c20914ba234b28fd34d9ef61817f0ff78d393ccf0e3c93dfd3cdaf2742f568333c2662

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1BBC.tmp.exe
      Filesize

      12KB

      MD5

      de1af70cbf7e1efae8874b19f4f99624

      SHA1

      f1bad78da6dbaa110ed5d4dcc42e78c6691585bc

      SHA256

      aed3478617ca9ae0f9e359f18af05cf1f940c4f1c97023394dcb27f32c278d21

      SHA512

      3aa5255a73a133d07e683d98552e33d9a87d7a87aa71d66801f1d65cce5e62fe8b858366171460968f695754aceaec2fe63812ef88145006d4fa195ef64f23c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc43E2FCA552C74FB784E158EE822B86F4.TMP
      Filesize

      1KB

      MD5

      7389e5199101b178da10bbccaf55c3e4

      SHA1

      49be4e96546bcf0ad8bcfd1af8990dc0b85446d3

      SHA256

      bdd297651cfde57c3a236df97edfc6591b6857d1fd30d6dd2a03196d9e84abca

      SHA512

      03fb6f32fd7e80b7e86fe8fd89cb6a779d9ae227b8109dc765c5c8fa9f878ceab657361d54f1b8b0a0d22379671f9795ceae4d8af2e98dbdf38e7ec4e52d1072

      Download Submit

    • memory/2228-0-0x000000007446E000-0x000000007446F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-1-0x00000000010D0000-0x00000000010DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2228-8-0x0000000074460000-0x0000000074B4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2228-24-0x0000000074460000-0x0000000074B4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2592-23-0x0000000000180000-0x000000000018A000-memory.dmp

      Filesize

      40KB

      Download