Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
Ödeme Bildirimi.exe
Resource
win7-20241023-en
General
-
Target
Ödeme Bildirimi.exe
-
Size
810.6MB
-
MD5
a50c233309fce547730f8c7f2277e84a
-
SHA1
66e083c2d7e3bc02b509f3574ead4f70917f8cf4
-
SHA256
cdc7a8459646b81c8922b54e0b555a8f3bf336064a752822e053d278746d01d5
-
SHA512
eac158fe946814ccf28e45af0784fd31090e68f3de5544a6b43cf5b8faa526df9b5830c3f09d64ccc3bbc98d4779c18f87b958027dddcab76ee6da1176ece476
-
SSDEEP
24576:4MvDamiIIpODOJ/j0VfNAMa+cJBaVksf4/1EV8VgRl:HeDHOD6/jI+Z+SB5FVV
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
resource yara_rule behavioral1/memory/2124-35-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2124-34-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3012 powershell.exe 2532 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2124 Ödeme Bildirimi.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Ödeme Bildirimi.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2768 set thread context of 2124 2768 Ödeme Bildirimi.exe 36 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE Ödeme Bildirimi.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE Ödeme Bildirimi.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com Ödeme Bildirimi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ödeme Bildirimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ödeme Bildirimi.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Ödeme Bildirimi.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3012 powershell.exe 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2768 wrote to memory of 3012 2768 Ödeme Bildirimi.exe 30 PID 2768 wrote to memory of 3012 2768 Ödeme Bildirimi.exe 30 PID 2768 wrote to memory of 3012 2768 Ödeme Bildirimi.exe 30 PID 2768 wrote to memory of 3012 2768 Ödeme Bildirimi.exe 30 PID 2768 wrote to memory of 2532 2768 Ödeme Bildirimi.exe 32 PID 2768 wrote to memory of 2532 2768 Ödeme Bildirimi.exe 32 PID 2768 wrote to memory of 2532 2768 Ödeme Bildirimi.exe 32 PID 2768 wrote to memory of 2532 2768 Ödeme Bildirimi.exe 32 PID 2768 wrote to memory of 2708 2768 Ödeme Bildirimi.exe 34 PID 2768 wrote to memory of 2708 2768 Ödeme Bildirimi.exe 34 PID 2768 wrote to memory of 2708 2768 Ödeme Bildirimi.exe 34 PID 2768 wrote to memory of 2708 2768 Ödeme Bildirimi.exe 34 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36 PID 2768 wrote to memory of 2124 2768 Ödeme Bildirimi.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PuSZrbOiAUSt.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuSZrbOiAUSt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD51f19f7d7607ffa6f1f8d2422bb99a252
SHA189a54eea05bc2c5cb5dae74768ae948d8c55baf8
SHA256e86f690922bbb156c3d28cc65dec00b1819e04e5cba2e9f76bfc562fab040913
SHA5121189f6816bb4caa471f93e8d9ba4a79e6936e9394ff5326b7a50e8f9ee497f2cd8ec0cbbb557670d74b542d7a0b47794c3169b39a00c9612bdf473eb451a120e
-
Filesize
1KB
MD57dd281780efc2c3126d8df8c0e7fed76
SHA1721909c66f5a4f48a06c6a7b5822a018b7e489f0
SHA256d4611c57fdcf11517be00886966715d443f6cf432b88becb464e106d3611ced5
SHA5128dfa2a2db1ada317212c2442947705d74118b8eb28482c8e53ff0287b938b11fab4b6381484a0684440ca316bcdf0fea886083813d9108992e6d1bd19c1b6bca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD532b12db819ac507f8ee933fb074b322b
SHA1bb716328b11158738ca340563d91d3a9165b095e
SHA256152ff01d0b331b343eb47e9b93b4b6fbe59adfee411dfa07fe6120ddbaaf5a88
SHA512ac594dd966bccd38763bd3e2d07ac2423212ec33a634e344e461f8cbfe2e9f47e214ef04206fa6e68534741abc3dd921af352519d613e93152604c260353696a
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156