Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 04:46

General

  • Target

    bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe

  • Size

    775KB

  • MD5

    45677bcd19ce7a7b3ff48f1be26c9fb5

  • SHA1

    1a39835f004735e6d77528129785b9535930cd53

  • SHA256

    bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd

  • SHA512

    66bf5824c07f9c31fefafe6ecffa1e984711315f3397301be21fc13a6dd7cc16b84ab006b46f6a78825ee56f804a474927d76f381445a5afd270b535ae1df25b

  • SSDEEP

    12288:OsqgmDWSpR+Gqj1gOSJVSKdet5RVu5ihnYQspCp9qWvX9fRB1IP:2gCWSpRyjdSJVDsVu5unzqWvX1lIP

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe
    "C:\Users\Admin\AppData\Local\Temp\bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\3582-490\bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

    Filesize

    2.4MB

    MD5

    d9e8a1fa55faebd36ed2342fedefbedd

    SHA1

    c25cc7f0035488de9c5df0121a09b5100e1c28e9

    SHA256

    bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

    SHA512

    134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bb424c09754876ee1fd12da33b1fcdb40c0d008d8c4c89c9e7f1a10211efa4bd.exe

    Filesize

    734KB

    MD5

    4f858439db52f69416af1354364b8b90

    SHA1

    e3df798653b611dd9a0268ce12d7babfe7a8980c

    SHA256

    c31d4ced8cb53060ba5c9bc80d92d4bdf0adcd12d7c19ba473d84cb989bc36f1

    SHA512

    6d460f0291a64781727267460d36fff0336a6603f2aff6ee290e50efdd1e15cd0f44b4be3470fa385a5aea5b3e27e4d00ea7eed019005a6106784d1a6e48374d

  • memory/2668-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2668-97-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2668-99-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB