Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
5Dropped Ma...2f.exe
windows11-21h2-x64
Dropped Malware/1.exe
windows11-21h2-x64
Dropped Ma...29.exe
windows11-21h2-x64
10Dropped Ma...89.xls
windows11-21h2-x64
1Dropped Ma...df.exe
windows11-21h2-x64
8Dropped Ma...er.exe
windows11-21h2-x64
10Dropped Ma...df.exe
windows11-21h2-x64
8Dropped Ma...00.exe
windows11-21h2-x64
7Dropped Ma...DF.bat
windows11-21h2-x64
8Dropped Ma...61.exe
windows11-21h2-x64
10Dropped Ma...df.exe
windows11-21h2-x64
10Dropped Ma...89.xls
windows11-21h2-x64
1Dropped Ma...df.exe
windows11-21h2-x64
8Dropped Ma...df.exe
windows11-21h2-x64
5Dropped Ma...00.vbs
windows11-21h2-x64
8Dropped Ma...df.exe
windows11-21h2-x64
8Dropped Ma...B).vbs
windows11-21h2-x64
10Dropped Ma...df.exe
windows11-21h2-x64
3Analysis
-
max time kernel
92s -
max time network
195s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
Dropped Malware/01622664c6bf1a51484157d73fb4a42f.exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
Dropped Malware/1.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
Dropped Malware/BNP DOC 12578945329763-7633562829.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
Dropped Malware/Comprobante de pago_978989689.xls
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Dropped Malware/Document BT24·pdf.exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
Dropped Malware/Jailkeeper.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
Dropped Malware/LHDNM TAKSIRAN 2023·pdf.exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
Dropped Malware/Order 000293884849900.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Dropped Malware/PO 903886563 PDF.bat
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
Dropped Malware/PO2024-0961.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
Dropped Malware/PRODUCTS LIST pdf.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
Dropped Malware/Product Inquiry466789.xls
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Dropped Malware/Quote Request (Tupy S.A.) 523AM - 924BR·pdf.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
Dropped Malware/REQUEST FOR QUOTATION_pdf.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
Dropped Malware/Transaction_Execution_Confirmation_000000.vbs
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
Dropped Malware/faktura_7171503997·pdf.exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
Dropped Malware/ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
Dropped Malware/帳單發票_200548224648·pdf.exe
Resource
win11-20240611-en
windows11-21h2-x64
General
-
Target
Dropped Malware/PO2024-0961.exe
-
Size
1.2MB
-
MD5
72f3a4a4cc00e2b6f64e0a204678de73
-
SHA1
9abfc40bb6c14ab8414a2a5990b7efbb90073b22
-
SHA256
c10e5f7f008da5ed2a5b08326d57e7d6b052644df78facc7bbdca7b0ed366254
-
SHA512
a0d33db745e247c63c2315c55c004b5e25e86b45ad454adc2c4121dbac44dc3418cec4ebf790c039b71f00668881dd66b83a87448eab3b83e06ea7ffe8b4c111
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaehqzGtIK+5i5DrgNV7N5:oh+ZkldoPK8YaehFyx5IDrU
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 4952 name.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral10/files/0x000200000002aa37-16.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4952 set thread context of 3280 4952 name.exe 78 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe svchost.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe svchost.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4952 name.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2064 PO2024-0961.exe 2064 PO2024-0961.exe 4952 name.exe 4952 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2064 PO2024-0961.exe 2064 PO2024-0961.exe 4952 name.exe 4952 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2064 wrote to memory of 4952 2064 PO2024-0961.exe 77 PID 2064 wrote to memory of 4952 2064 PO2024-0961.exe 77 PID 2064 wrote to memory of 4952 2064 PO2024-0961.exe 77 PID 4952 wrote to memory of 3280 4952 name.exe 78 PID 4952 wrote to memory of 3280 4952 name.exe 78 PID 4952 wrote to memory of 3280 4952 name.exe 78 PID 4952 wrote to memory of 3280 4952 name.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropped Malware\PO2024-0961.exe"C:\Users\Admin\AppData\Local\Temp\Dropped Malware\PO2024-0961.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\Dropped Malware\PO2024-0961.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Dropped Malware\PO2024-0961.exe"3⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5068437f75db0bbe5b9bd904c235567cf
SHA1737022c314ae03c6271b8016e6ae2a862f9889cb
SHA2563aa1a61a302e515d539de99085f33bd2a6e0ad930cda32c9f7295d128e3ef188
SHA5127e5849afc897f5c3af1aba02497f772194252271e4dc490b6ff4b1c22445c1de94384b75a58fb3696d67f1a1d34efdd5c5029818d12cfba20bc3193052cef433
-
Filesize
40KB
MD5c7f1504af8fd9f7a7f90b218b70a7414
SHA19035e529791803893e4ecc6bd793f10e68efda94
SHA256e4fc1ec57bd47a3c0b2eccaecba1466a8db6aae44e4591e88a32ca490125a284
SHA512f3683e388259f07c5d080c66d6999a633fcdfec6a47f88468c4db97245831c7efdcb8ffccf3ed2b7bb27b8e4553513224664164bc3c4fb2a7988a4e890cc113a
-
Filesize
305KB
MD58117b7a3352d58da49950a96ac91d2b1
SHA1058564f4c2571c8fbbe871e139568639629ee879
SHA256d11482830ab5b3f5a050ecd72d914c1f085cc05993025a6cbba1bfacc9155b8b
SHA512a46ed5db3244c14d449be2a06a089f5632e2a0ec40785d2987878bb98deac5211de8af50ff05bc9f1cc7ad68d5471d7d34e758fd6f524b8807ca628db3cab2fb
-
Filesize
1.2MB
MD572f3a4a4cc00e2b6f64e0a204678de73
SHA19abfc40bb6c14ab8414a2a5990b7efbb90073b22
SHA256c10e5f7f008da5ed2a5b08326d57e7d6b052644df78facc7bbdca7b0ed366254
SHA512a0d33db745e247c63c2315c55c004b5e25e86b45ad454adc2c4121dbac44dc3418cec4ebf790c039b71f00668881dd66b83a87448eab3b83e06ea7ffe8b4c111