Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2022, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER No. 2210748.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PURCHASE ORDER No. 2210748.exe
Resource
win10v2004-20220812-en
General
-
Target
PURCHASE ORDER No. 2210748.exe
-
Size
60KB
-
MD5
8626c81eed96c8096820864fc005d248
-
SHA1
b383487bcda8ac2a8763a31cc9de3b1ddea472cd
-
SHA256
1e6e0886d9d29f56259e1a5a7890727af76f8f46011341f755381704aa32ce36
-
SHA512
41187c9b45ee252d46718d37d1563a958a487f33e60592c7ed3f1db8a8911727ab95eef254eb57e4247dd68ae5298bf23631fb0ac721d053df62c7302826ed37
-
SSDEEP
1536:75XYNK5uDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNZ:7CQ5uis1Jy///f/M7
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
resource yara_rule behavioral2/memory/1572-147-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1572-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1572-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1572-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1572-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" PURCHASE ORDER No. 2210748.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation PURCHASE ORDER No. 2210748.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation PURCHASE ORDER No. 2210748.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aghhy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vdkdqoteg\\Aghhy.exe\"" PURCHASE ORDER No. 2210748.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 224 set thread context of 1572 224 PURCHASE ORDER No. 2210748.exe 90 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe PURCHASE ORDER No. 2210748.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE PURCHASE ORDER No. 2210748.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com PURCHASE ORDER No. 2210748.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" PURCHASE ORDER No. 2210748.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3104 powershell.exe 3104 powershell.exe 224 PURCHASE ORDER No. 2210748.exe 224 PURCHASE ORDER No. 2210748.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 224 PURCHASE ORDER No. 2210748.exe Token: SeDebugPrivilege 3104 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 224 wrote to memory of 3104 224 PURCHASE ORDER No. 2210748.exe 84 PID 224 wrote to memory of 3104 224 PURCHASE ORDER No. 2210748.exe 84 PID 224 wrote to memory of 3104 224 PURCHASE ORDER No. 2210748.exe 84 PID 224 wrote to memory of 2976 224 PURCHASE ORDER No. 2210748.exe 89 PID 224 wrote to memory of 2976 224 PURCHASE ORDER No. 2210748.exe 89 PID 224 wrote to memory of 2976 224 PURCHASE ORDER No. 2210748.exe 89 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90 PID 224 wrote to memory of 1572 224 PURCHASE ORDER No. 2210748.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"2⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"2⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1572
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD58626c81eed96c8096820864fc005d248
SHA1b383487bcda8ac2a8763a31cc9de3b1ddea472cd
SHA2561e6e0886d9d29f56259e1a5a7890727af76f8f46011341f755381704aa32ce36
SHA51241187c9b45ee252d46718d37d1563a958a487f33e60592c7ed3f1db8a8911727ab95eef254eb57e4247dd68ae5298bf23631fb0ac721d053df62c7302826ed37