Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 18:01
Behavioral task
behavioral1
Sample
NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
-
Size
5.6MB
-
MD5
03106a8f6ba6c7b7172b3c5bf07129d0
-
SHA1
3f55d8d9978c6bd77e4a50fa8def1ae0955c773f
-
SHA256
fc833521c8217cee92276e968b0360ab304d3e3a01053f63580d0139a8c0b13a
-
SHA512
73b1486696527a901ba07e1a19a24bec34312b6f096bc5e8b302ca91b46cd0e5c80118debf78be0fe62f0c08e5181e282534ad6f7ee21d987e5ce9a21a9f6f5f
-
SSDEEP
49152:Dc8+u/2bQC+NL2PmrkoCbGgdQMuzVZywWNSQy/E2LJuVzn1498B7MV33/q2kG1N6:vkj4L2obbTcT1B83vdr0Ol/Wy5i
Malware Config
Signatures
-
Detect Neshta payload 12 IoCs
resource yara_rule behavioral2/files/0x000700000001f077-22.dat family_neshta behavioral2/memory/4696-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-109-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-111-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-112-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-119-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4696-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Executes dropped EXE 2 IoCs
pid Process 2784 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe 3588 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EUD1B7.tmp\MIF4FD~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EUD1B7.tmp\MID1AD~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EUD1B7.tmp\MIA062~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EUD1B7.tmp\MICROS~3.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EUD1B7.tmp\MICROS~1.EXE NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4696 wrote to memory of 2784 4696 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe 89 PID 4696 wrote to memory of 2784 4696 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe 89 PID 2784 wrote to memory of 3588 2784 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe 90 PID 2784 wrote to memory of 3588 2784 NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exeC:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=102.0.4880.55 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff73ac82068,0x7ff73ac82078,0x7ff73ac820883⤵
- Executes dropped EXE
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
Filesize
5.5MB
MD5cb26e2fbb05a9f7dd1f3ae9f82d1ae8d
SHA19cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6
SHA2564e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c
SHA512ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0
-
Filesize
5.5MB
MD5cb26e2fbb05a9f7dd1f3ae9f82d1ae8d
SHA19cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6
SHA2564e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c
SHA512ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0
-
Filesize
5.5MB
MD5cb26e2fbb05a9f7dd1f3ae9f82d1ae8d
SHA19cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6
SHA2564e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c
SHA512ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0
-
Filesize
244B
MD54fa54de9f9babc3db73c2258ffaad555
SHA172de4f3e19269d5dda421c2b751d6b8b03f587c9
SHA256f36f75647fe7a69e21530ef5a4e149d35a5c778d90c1029450ab39ecd17d1105
SHA51276e14a6184e253378f5c1dc161ba8f55dd81dde39b1ad88bc34d27d9ed5769ba21c9d87e66a03ef4d66611804811ed679520d86cd243dad319865793f95b12e6