Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e8013dbbfa...4a.exe

windows7-x64

10

e8013dbbfa...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 17:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe

  • Size

    89KB

  • MD5

    a6bd87588e880f65273180ce92385fa1

  • SHA1

    2c28e8a0557deb38741dc0eb805754814c81b7de

  • SHA256

    e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a

  • SHA512

    d91f946d5703d57b8cd72c7a92727e3f3182106ab644847b5f5b8db1b58ccc10f5a5168d3b8ca49beb61a384d3bca8a478596fbc8d55836955470517032cfcd2

  • SSDEEP

    1536:JxqjQ+P04wsmJCvTT2sd5sxaS318HxZATvnsblYO4/+:sr85CHRd5Kr318RZEvsbyOk+

Score
10/10
makopneshtapersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 14 IoCs
  • MAKOP ransomware payload 1 IoCs
  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
    "C:\Users\Admin\AppData\Local\Temp\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe"
      2⤵
      • Executes dropped EXE
      PID:3156

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    192.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.178.17.96.in-addr.arpa
    IN PTR
    Response
    192.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.171.91.138.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.171.91.138.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    16.234.44.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.234.44.23.in-addr.arpa
    IN PTR
    Response
    16.234.44.23.in-addr.arpa
    IN PTR
    a23-44-234-16deploystaticakamaitechnologiescom
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    210.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.178.17.96.in-addr.arpa
    IN PTR
    Response
    210.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-210deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    201.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    201.178.17.96.in-addr.arpa
    IN PTR
    Response
    201.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-201deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    192.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    192.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    81.171.91.138.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    81.171.91.138.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    16.234.44.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    16.234.44.23.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    210.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    210.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    201.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    201.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
    Filesize

    2.4MB

    MD5

    8ffc3bdf4a1903d9e28b99d1643fc9c7

    SHA1

    919ba8594db0ae245a8abd80f9f3698826fc6fe5

    SHA256

    8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

    SHA512

    0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
    Filesize

    49KB

    MD5

    02a575b9f4c0018b36c1ddf6eac3020c

    SHA1

    5135f093a792f6e36d36f353b845ceaa0419d380

    SHA256

    81eaa2c5cbcb5997f6880834ce09ce80aedc68510f1b8cd61030ea925344b829

    SHA512

    41291fb341857db845caec441131ae815b5a24d787f00e7dcdb2fdae86d674a4f1f4cfbb938ef0475ac51ed456697482bb13febdc92d9a3dfbbac59e01845f6b

    Download Submit

  • memory/4864-101-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-97-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-100-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-63-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-102-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-103-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-104-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-105-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-107-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.