Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

NL Brute.exe

windows7-x64

10

NL Brute.exe

windows10-2004-x64

10

NL Brute.exe

windows10-ltsc 2021-x64

10

NL Brute.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 04:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NL Brute.exe

  • Size

    7.8MB

  • MD5

    aa7a175b442aa64c84fb306979a4320b

  • SHA1

    a7cd106acbc7675337977f55387b92145190eb1c

  • SHA256

    b3c4140104b09723a786c120c921b9e46d7b50be5fb0bd4afa7bbb23069948de

  • SHA512

    bab9d021d7d1efb24298cb66f29d1d2b716a8ea24e44891cc01a1a3249cf32bfdf1688cac70e33f336c2e70b967ae3e22f3855c9dafdeb2d1f67e6e98adb4295

  • SSDEEP

    196608:CfP0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdf6:CO8YwFV/dIa8wp2j09qXAyYDHMDYrsdi

Score
10/10
neshtadiscoveryevasionpersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NL Brute.exe
    "C:\Users\Admin\AppData\Local\Temp\NL Brute.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1096

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe
    Filesize

    7.8MB

    MD5

    025c1c35c3198e6e3497d5dbf97ae81f

    SHA1

    6d390038003c298c7ab8f2cbe35a50b07e096554

    SHA256

    ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4

    SHA512

    1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50

    Download Submit

  • memory/1096-90-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-111-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-14-0x0000000005F80000-0x0000000005F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-13-0x0000000005F50000-0x0000000005F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-12-0x0000000005F70000-0x0000000005F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-11-0x0000000005F60000-0x0000000005F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-16-0x0000000000401000-0x000000000081B000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1096-17-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-23-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-10-0x0000000077344000-0x0000000077346000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-33-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-58-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-9-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-105-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-15-0x0000000005F20000-0x0000000005F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-121-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-106-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-109-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-110-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-107-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-120-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-113-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-114-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-115-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1096-117-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/4940-116-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4940-119-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4940-112-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4940-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.