Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 09:02

General

  • Target

    Ödeme Bildirimi.exe

  • Size

    810.6MB

  • MD5

    a50c233309fce547730f8c7f2277e84a

  • SHA1

    66e083c2d7e3bc02b509f3574ead4f70917f8cf4

  • SHA256

    cdc7a8459646b81c8922b54e0b555a8f3bf336064a752822e053d278746d01d5

  • SHA512

    eac158fe946814ccf28e45af0784fd31090e68f3de5544a6b43cf5b8faa526df9b5830c3f09d64ccc3bbc98d4779c18f87b958027dddcab76ee6da1176ece476

  • SSDEEP

    24576:4MvDamiIIpODOJ/j0VfNAMa+cJBaVksf4/1EV8VgRl:HeDHOD6/jI+Z+SB5FVV

Malware Config

Signatures

  • Detect Neshta payload 2 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
    "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PuSZrbOiAUSt.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuSZrbOiAUSt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
      "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
      2⤵
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

    Filesize

    186KB

    MD5

    1f19f7d7607ffa6f1f8d2422bb99a252

    SHA1

    89a54eea05bc2c5cb5dae74768ae948d8c55baf8

    SHA256

    e86f690922bbb156c3d28cc65dec00b1819e04e5cba2e9f76bfc562fab040913

    SHA512

    1189f6816bb4caa471f93e8d9ba4a79e6936e9394ff5326b7a50e8f9ee497f2cd8ec0cbbb557670d74b542d7a0b47794c3169b39a00c9612bdf473eb451a120e

  • C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp

    Filesize

    1KB

    MD5

    7dd281780efc2c3126d8df8c0e7fed76

    SHA1

    721909c66f5a4f48a06c6a7b5822a018b7e489f0

    SHA256

    d4611c57fdcf11517be00886966715d443f6cf432b88becb464e106d3611ced5

    SHA512

    8dfa2a2db1ada317212c2442947705d74118b8eb28482c8e53ff0287b938b11fab4b6381484a0684440ca316bcdf0fea886083813d9108992e6d1bd19c1b6bca

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    32b12db819ac507f8ee933fb074b322b

    SHA1

    bb716328b11158738ca340563d91d3a9165b095e

    SHA256

    152ff01d0b331b343eb47e9b93b4b6fbe59adfee411dfa07fe6120ddbaaf5a88

    SHA512

    ac594dd966bccd38763bd3e2d07ac2423212ec33a634e344e461f8cbfe2e9f47e214ef04206fa6e68534741abc3dd921af352519d613e93152604c260353696a

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • memory/2124-27-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-31-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-25-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-21-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-23-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-19-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-35-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-34-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2124-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2124-29-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2768-5-0x0000000074B40000-0x000000007522E000-memory.dmp

    Filesize

    6.9MB

  • memory/2768-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

    Filesize

    4KB

  • memory/2768-3-0x0000000000310000-0x0000000000322000-memory.dmp

    Filesize

    72KB

  • memory/2768-4-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

    Filesize

    4KB

  • memory/2768-6-0x0000000005300000-0x00000000053A4000-memory.dmp

    Filesize

    656KB

  • memory/2768-36-0x0000000074B40000-0x000000007522E000-memory.dmp

    Filesize

    6.9MB

  • memory/2768-2-0x0000000074B40000-0x000000007522E000-memory.dmp

    Filesize

    6.9MB

  • memory/2768-1-0x00000000010C0000-0x0000000001186000-memory.dmp

    Filesize

    792KB