Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30/03/2023, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe
Resource
win10v2004-20230220-en
General
-
Target
0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe
-
Size
347KB
-
MD5
03cc929f5f0a59a3df844109e875b4ef
-
SHA1
44a5533d95e64e8630987a2d88878a18f91c3cac
-
SHA256
0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3
-
SHA512
f1fa80b29433817336d6b7189637e2e0039c7f8000c0248abe635be9816a7febe6a354fa48b5c976842aa889997a79a077ceaea24421b2b1de2f91b3a95e1c2c
-
SSDEEP
6144:yYa6dY6Aa/wi/Xzhp0Ur/P5pd1Aw5X5GMKP0Z7r:yYzYuoUjl1AqGMV7r
Malware Config
Signatures
-
Detect Neshta payload 11 IoCs
resource yara_rule behavioral1/memory/984-68-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-70-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-78-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-153-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-154-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-155-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-156-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
pid Process 1948 lgehuztzmc.exe 984 lgehuztzmc.exe -
Loads dropped DLL 4 IoCs
pid Process 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 1948 lgehuztzmc.exe 984 lgehuztzmc.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" lgehuztzmc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1948 set thread context of 984 1948 lgehuztzmc.exe 29 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE lgehuztzmc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe lgehuztzmc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe lgehuztzmc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE lgehuztzmc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com lgehuztzmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" lgehuztzmc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1948 lgehuztzmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1948 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 28 PID 1108 wrote to memory of 1948 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 28 PID 1108 wrote to memory of 1948 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 28 PID 1108 wrote to memory of 1948 1108 0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe 28 PID 1948 wrote to memory of 984 1948 lgehuztzmc.exe 29 PID 1948 wrote to memory of 984 1948 lgehuztzmc.exe 29 PID 1948 wrote to memory of 984 1948 lgehuztzmc.exe 29 PID 1948 wrote to memory of 984 1948 lgehuztzmc.exe 29 PID 1948 wrote to memory of 984 1948 lgehuztzmc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe"C:\Users\Admin\AppData\Local\Temp\0ca7dc0360f51d054c098945edb300a2d01d0548ca1d6b86b3953631989cc6a3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\lgehuztzmc.exe"C:\Users\Admin\AppData\Local\Temp\lgehuztzmc.exe" C:\Users\Admin\AppData\Local\Temp\elgnifhc.r2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\lgehuztzmc.exe"C:\Users\Admin\AppData\Local\Temp\lgehuztzmc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:984
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5563fdf7994e86b7da751b185288a6a4f
SHA1ff48d90122073a1f77db7e388e753a201f6d4e62
SHA2565c030b7ba6c1fba3f51bd744b3b29db4453c7c336f848259647cfb3fd35d2207
SHA512ef4e8a83312322746a02cf725fc32fabae3edda63c7ca92a4cbe4320d462c228bff8c2178a47a5e46c52161523aac3d23e3bf6b03a5f4d5739b36aaac8b7bb80
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
228KB
MD593accf920ba37a7fae83e379846f59a5
SHA129bda35707ad4dd2d549d221f64427c622b69ccb
SHA25630d30fe5602dda24bc7afa849a9adaf716f349f957ca03f87da6926ba62699b2
SHA5124784950a12c0bffccbfc32ae8595dca3eccf91da91f6999fed4b08fb8e8ad04f1ad27740ec9e9ac3fbe792b4bf87d81f1a318473f88008064a055ef726c57e71
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c
-
Filesize
34KB
MD520742cabae8a6a4fed0126040a8f344f
SHA13a39a722d88c227f0149caa73654a76eaacf5a29
SHA256587148b5a118b27e83b6a2d03431f59645e225706bb4178c5fd2a32dfb597167
SHA512643d05804998b1cc965aadc02a12aef8c0984fdeb58044e43080182148a502ad5a1d24218812c1679dd4059802f283114e4c58514e108d0da102e23cd462768c