Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ocean-fX8Z9F6N8.exe

windows7-x64

10

Ocean-fX8Z9F6N8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 18:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ocean-fX8Z9F6N8.exe

  • Size

    2.4MB

  • MD5

    cf01fd4322bcfd83364fffd15ef29a75

  • SHA1

    b1445db2e6545de3f94aa1f914a6697a0e027579

  • SHA256

    8ad433b21b524ef400200f478cf1f280a77d810ed7d51c47422f3d7c33eaf3cb

  • SHA512

    9cf8cba5f2f29745ab115c9f7ebb23c04686c5dff284e4f6762dc7a79a50c3a3340fb94496865213141e6c59c354134503f65f5eff263a9ad651eaa42277a28e

  • SSDEEP

    24576:dLphtLzNPZlVOEvD9SYtSBzh0DkkaE64RyKMZyCV1E5/VGJnFLOrt1:BtL99OEUtWDkG6MptMnct1

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ocean-fX8Z9F6N8.exe
    "C:\Users\Admin\AppData\Local\Temp\Ocean-fX8Z9F6N8.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Ocean-fX8Z9F6N8.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\Ocean-fX8Z9F6N8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Temp\nhdcK\NdK4y.exe
        C:\Users\Admin\AppData\Local\Temp\nhdcK\NdK4y.exe X8Z9F6N8
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4948

Network

  • flag-us
    DNS
    anticheat.ac
    NdK4y.exe
    Remote address:
    8.8.8.8:53
    Request
    anticheat.ac
    IN A
    Response
    anticheat.ac
    IN A
    104.21.13.90
    anticheat.ac
    IN A
    172.67.155.115
  • flag-us
    GET
    https://anticheat.ac/downloads/fivem/cli
    Ocean-fX8Z9F6N8.exe
    Remote address:
    104.21.13.90:443
    Request
    GET /downloads/fivem/cli HTTP/1.1
    Host: anticheat.ac
    User-Agent: MAQUINADEARMADO
    Accept: */*
    Response
    HTTP/1.1 200 OK
    Date: Sat, 12 Oct 2024 18:13:07 GMT
    Content-Type: application/x-msdos-program
    Content-Length: 9352592
    Connection: keep-alive
    content-disposition: attachment; filename=OceanFiveM.exe
    last-modified: Wed, 09 Oct 2024 04:55:07 GMT
    Cache-Control: no-cache
    etag: "1728449707.0-9352592-3425963031"
    access-control-allow-origin: *
    vary: Accept-Encoding, Cookie
    strict-transport-security: max-age=63072000; includeSubDomains; preload
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    referrer-policy: no-referrer-when-downgrade
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xVtFF7Cc9Rqf%2FsYN%2Bkx27xpiqEF%2Fs3c0Q2ENfSyDJmujpyt69wjButdGNjVZVUDELceA4LjfCPKuBlpLhh4lJeBaXsuITCP%2BU0Brup%2BBmvzYIVwfGBgNCWs6qFg0%2BNQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d190fe2c9d4d1fa-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.178.3
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    Remote address:
    142.250.178.3:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 12 Oct 2024 17:39:08 GMT
    Expires: Sat, 12 Oct 2024 18:29:08 GMT
    Cache-Control: public, max-age=3000
    Age: 2039
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    Remote address:
    142.250.178.3:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 12 Oct 2024 18:07:45 GMT
    Expires: Sat, 12 Oct 2024 18:57:45 GMT
    Cache-Control: public, max-age=3000
    Age: 322
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    90.13.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.13.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    3.178.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.178.250.142.in-addr.arpa
    IN PTR
    Response
    3.178.250.142.in-addr.arpa
    IN PTR
    lhr48s27-in-f31e100net
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    68.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:51850
    Ocean-fX8Z9F6N8.exe
  • 104.21.13.90:443
    https://anticheat.ac/downloads/fivem/cli
    tls, http
    Ocean-fX8Z9F6N8.exe
    197.5kB
     9.7MB
     3991
    6958

    HTTP Request

    GET https://anticheat.ac/downloads/fivem/cli

    HTTP Response

    200
  • 142.250.178.3:80
    http://c.pki.goog/r/r4.crl
    http
    602 B
     3.9kB
     8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 104.21.13.90:443
    anticheat.ac
    tls
    NdK4y.exe
    708 B
     3.4kB
     8
    7
  • 104.21.13.90:443
    anticheat.ac
    tls
    NdK4y.exe
    1.5MB
     26.5kB
     1159
    446
  • 104.21.13.90:443
    anticheat.ac
    tls
    NdK4y.exe
    708 B
     3.4kB
     8
    7
  • 104.21.13.90:443
    anticheat.ac
    tls
    NdK4y.exe
    708 B
     3.4kB
     8
    7
  • 8.8.8.8:53
    anticheat.ac
    dns
    NdK4y.exe
    58 B
     90 B
     1
    1

    DNS Request

    anticheat.ac

    DNS Response

    104.21.13.90
    172.67.155.115

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.178.3

  • 8.8.8.8:53
    90.13.21.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    90.13.21.104.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    3.178.250.142.in-addr.arpa
    dns
    72 B
     110 B
     1
    1

    DNS Request

    3.178.250.142.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    68.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    68.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    104.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    104.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\Ocean-fX8Z9F6N8.exe
    Filesize

    2.3MB

    MD5

    46888c7235910a21a39b13caa72e6113

    SHA1

    73f89ce12e2db6655b08efe4f233a8a05aa94fd7

    SHA256

    ef732471300f0a0d6e0e17f48c20b6e28ae9f5e8fc73b02c1cc3668859b1aed4

    SHA512

    92513026de2ff0cd9eafaaa9d74ae2e8e15f1aa682d1ab5e6d05a357f6b4debb0f146c2f67284ae5eda99ae8ffc6ce99996d944ed155fe4694d6d7d9b4aeaa2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nhdcK\NdK4y.exe
    Filesize

    8.9MB

    MD5

    b237284e07e8c85ff0d57bfbe46bf145

    SHA1

    fc6a88353a9e8bf8098866c6636fa59fdc38596a

    SHA256

    efb6089d9cd5145ce86e9bfa663704f42049598a2cf1795b146cbdc9437c53a8

    SHA512

    34e4cbfff1fa2435bb763852d7e3ff7ce4edcf4df625a39659a62576da4e1bfad3d83d7976aaf1cbb6fbc4ce77b639d9c6752294c45e367577725fc2e7be784d

    Download Submit

  • memory/2472-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2472-112-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2472-110-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2472-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4948-96-0x0000000141026000-0x000000014124C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4948-105-0x0000000140000000-0x0000000141B36000-memory.dmp

    Filesize

    27.2MB

    Download

  • memory/4948-99-0x0000000140000000-0x0000000141B36000-memory.dmp

    Filesize

    27.2MB

    Download

  • memory/4948-107-0x0000000141026000-0x000000014124C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4948-108-0x0000000140000000-0x0000000141B36000-memory.dmp

    Filesize

    27.2MB

    Download

  • memory/4948-103-0x0000000140000000-0x0000000141B36000-memory.dmp

    Filesize

    27.2MB

    Download

  • memory/4948-98-0x00007FFE0D760000-0x00007FFE0D762000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4948-97-0x00007FFE0D750000-0x00007FFE0D752000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.