Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2023, 18:01

General

  • Target

    NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe

  • Size

    5.6MB

  • MD5

    03106a8f6ba6c7b7172b3c5bf07129d0

  • SHA1

    3f55d8d9978c6bd77e4a50fa8def1ae0955c773f

  • SHA256

    fc833521c8217cee92276e968b0360ab304d3e3a01053f63580d0139a8c0b13a

  • SHA512

    73b1486696527a901ba07e1a19a24bec34312b6f096bc5e8b302ca91b46cd0e5c80118debf78be0fe62f0c08e5181e282534ad6f7ee21d987e5ce9a21a9f6f5f

  • SSDEEP

    49152:Dc8+u/2bQC+NL2PmrkoCbGgdQMuzVZywWNSQy/E2LJuVzn1498B7MV33/q2kG1N6:vkj4L2obbTcT1B83vdr0Ol/Wy5i

Malware Config

Signatures

  • Detect Neshta payload 12 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe
        C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=102.0.4880.55 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff73ac82068,0x7ff73ac82078,0x7ff73ac82088
        3⤵
        • Executes dropped EXE
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

    Filesize

    2.4MB

    MD5

    8ffc3bdf4a1903d9e28b99d1643fc9c7

    SHA1

    919ba8594db0ae245a8abd80f9f3698826fc6fe5

    SHA256

    8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

    SHA512

    0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

  • C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe

    Filesize

    5.5MB

    MD5

    cb26e2fbb05a9f7dd1f3ae9f82d1ae8d

    SHA1

    9cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6

    SHA256

    4e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c

    SHA512

    ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0

  • C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe

    Filesize

    5.5MB

    MD5

    cb26e2fbb05a9f7dd1f3ae9f82d1ae8d

    SHA1

    9cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6

    SHA256

    4e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c

    SHA512

    ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0

  • C:\Users\Admin\AppData\Local\Temp\3582-490\NEAS.03106a8f6ba6c7b7172b3c5bf07129d0.exe

    Filesize

    5.5MB

    MD5

    cb26e2fbb05a9f7dd1f3ae9f82d1ae8d

    SHA1

    9cebd2227ff94ed8a85b33ef7b1812c1bd1cf6e6

    SHA256

    4e0d654796929c717b726721f3e767f0848cbd5ff63cd64158cfc08076bcf85c

    SHA512

    ca366de8ed13ce87430580091d6eb2bf1f02b4414f9848abd5182cb0853522b6e7decc4c5a715a71aa6154580f01a005d17ee2a5c3d1226440e6636175f18de0

  • C:\Users\Admin\AppData\Local\Temp\3582-490\debug.log

    Filesize

    244B

    MD5

    4fa54de9f9babc3db73c2258ffaad555

    SHA1

    72de4f3e19269d5dda421c2b751d6b8b03f587c9

    SHA256

    f36f75647fe7a69e21530ef5a4e149d35a5c778d90c1029450ab39ecd17d1105

    SHA512

    76e14a6184e253378f5c1dc161ba8f55dd81dde39b1ad88bc34d27d9ed5769ba21c9d87e66a03ef4d66611804811ed679520d86cd243dad319865793f95b12e6

  • memory/4696-111-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-110-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-112-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-114-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-115-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-116-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-118-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-119-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4696-123-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB