Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 07:06
Behavioral task
behavioral1
Sample
7996817746b878c92c5fc407a2d25b55.exe
Resource
win7-20231215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
7996817746b878c92c5fc407a2d25b55.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
7996817746b878c92c5fc407a2d25b55.exe
-
Size
1.3MB
-
MD5
7996817746b878c92c5fc407a2d25b55
-
SHA1
b1a2215278e263048f60d8663a1d8a3adea8e1a0
-
SHA256
2c2f87ce2d5f3f2e55272aa72b32fbdd30ef6886903266ae645ea9b1e08ab5f1
-
SHA512
f45f0a53aaf27e88ae9e36b5286bb64ddfdcd8724d202c99a26766afb90fc20fff012116ce2d9437d5371f87f8eb903d5b6ab7518103a07e85c9db6316d3813f
-
SSDEEP
24576:Bv35bLaP4xtPmUGjgdhkhsuxo5KYviBvtFiCGlt/C9Rt4nyDazxbZYTawquegN:x5phmUkgoXxoSBvWCGl8tEyDaZZYehgN
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000001030c-11.dat family_neshta behavioral1/memory/2028-94-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
pid Process 1876 7996817746b878c92c5fc407a2d25b55.exe -
Loads dropped DLL 2 IoCs
pid Process 2028 7996817746b878c92c5fc407a2d25b55.exe 2028 7996817746b878c92c5fc407a2d25b55.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7996817746b878c92c5fc407a2d25b55.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 7996817746b878c92c5fc407a2d25b55.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 7996817746b878c92c5fc407a2d25b55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main 7996817746b878c92c5fc407a2d25b55.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7996817746b878c92c5fc407a2d25b55.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1876 7996817746b878c92c5fc407a2d25b55.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1876 7996817746b878c92c5fc407a2d25b55.exe 1876 7996817746b878c92c5fc407a2d25b55.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1876 2028 7996817746b878c92c5fc407a2d25b55.exe 28 PID 2028 wrote to memory of 1876 2028 7996817746b878c92c5fc407a2d25b55.exe 28 PID 2028 wrote to memory of 1876 2028 7996817746b878c92c5fc407a2d25b55.exe 28 PID 2028 wrote to memory of 1876 2028 7996817746b878c92c5fc407a2d25b55.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7996817746b878c92c5fc407a2d25b55.exe"C:\Users\Admin\AppData\Local\Temp\7996817746b878c92c5fc407a2d25b55.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7996817746b878c92c5fc407a2d25b55.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7996817746b878c92c5fc407a2d25b55.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
1.3MB
MD54d59dbdd3ffed0560fe92ca61a8cbb73
SHA1f367d5b3b6799d40bcd4f7e7c3031b6426ac1f1d
SHA25667dbac13c701bc2efdbf09b389ea85c3bc4a00d3f86854b835757d87766d38a6
SHA512102129ddd51dcc02ab406b93206f70769d30e252acf6e5bcdf1d4343ca3485dad4856bf047d6371080299f3fc694c09f487b1493964f528ad5d90486ae9562b6