Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 21:48

General

  • Target

    KWSuite v2.1.exe

  • Size

    1.9MB

  • MD5

    179ceae64423ec7003eb2b306b3c2171

  • SHA1

    7834ab73198780fbaf9c241914d8b9f7e0649184

  • SHA256

    326614198b1dd3ac322524f6a9eae6d77404f07fe4f455b45b5a0aea71bf860d

  • SHA512

    c09ce509654acb4f7a8df99551d1136ceffacb222fef1310eca676454c93756931f7e0b0d2c4d31349f76cecc62263076d8285f627dc416f9564e72a6f67c104

  • SSDEEP

    24576:Y2GHWoMmgHdn4MM+/OCMX+KYb06W7NS9G3yXE7SJ7BDRxpuscCTNobseacb9N/9h:Y3H9aHV9viF7NLyXE7SIsXxcz9Th

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • A potential corporate email address has been identified in the URL: BO@9QEeKBzuiz1H4nIIaBT
  • A potential corporate email address has been identified in the URL: GHHfy4@nWM24
  • A potential corporate email address has been identified in the URL: [email protected]
  • A potential corporate email address has been identified in the URL: Tr3l79Pzzq2XFsb4EMA5Z@4A4aBwU
  • A potential corporate email address has been identified in the URL: [email protected]
  • A potential corporate email address has been identified in the URL: lyGc@L8AsNAhftnOvJkvq9TDbexbkns
  • A potential corporate email address has been identified in the URL: qhywYXG7z@LAvM5nkkTgIe6YLEwUSYzIFOK1qw0gRSwD
  • A potential corporate email address has been identified in the URL: rrPHU@qw36ZB4b
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KWSuite v2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\KWSuite v2.1.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\AppData\Local\Temp\3582-490\KWSuite v2.1.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\KWSuite v2.1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 3880
        3⤵
        • Program crash
        PID:2532
  • C:\Windows\SysWOW64\werfault.exe
    werfault.exe /h /shared Global\6959eb15c1de4e99a12413395d39cc47 /t 2284 /p 2252
    1⤵
      PID:3588
    • C:\Windows\SysWOW64\werfault.exe
      werfault.exe /h /shared Global\998d6c60c0ea4a49b7982ff7408e5304 /t 2284 /p 2252
      1⤵
        PID:5036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2252 -ip 2252
        1⤵
          PID:1388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

          Filesize

          86KB

          MD5

          3b73078a714bf61d1c19ebc3afc0e454

          SHA1

          9abeabd74613a2f533e2244c9ee6f967188e4e7e

          SHA256

          ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

          SHA512

          75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

          Filesize

          1.6MB

          MD5

          3a3a71a5df2d162555fcda9bc0993d74

          SHA1

          95c7400f85325eba9b0a92abd80ea64b76917a1a

          SHA256

          0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8

          SHA512

          9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

        • C:\Users\Admin\AppData\Local\Temp\3582-490\KWSuite v2.1.exe

          Filesize

          1.8MB

          MD5

          b215d7d984863693cd30d6e0c9310802

          SHA1

          3d7bbe022796afa34cf212dca9ae28e60301786f

          SHA256

          02c043c7b22cf0a298f4ba1a6ae6575ed2de506c3c881b4219d82af15317ba79

          SHA512

          b3fa8b688877ec19a7e0cf4b422582d11f7fde85482a4d2b5ce62d66ec959f08fa2bb0819ca53f8eee20d1951e3599746183275fb4b6d0c37af5ba2994afd56d

        • memory/2252-93-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-107-0x000000000AFE0000-0x000000000B046000-memory.dmp

          Filesize

          408KB

        • memory/2252-16-0x0000000006150000-0x00000000066F4000-memory.dmp

          Filesize

          5.6MB

        • memory/2252-17-0x0000000005C40000-0x0000000005CD2000-memory.dmp

          Filesize

          584KB

        • memory/2252-18-0x0000000005CE0000-0x0000000005EF4000-memory.dmp

          Filesize

          2.1MB

        • memory/2252-19-0x0000000005C00000-0x0000000005C0A000-memory.dmp

          Filesize

          40KB

        • memory/2252-14-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-80-0x00000000090B0000-0x0000000009162000-memory.dmp

          Filesize

          712KB

        • memory/2252-79-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-13-0x0000000000D00000-0x0000000000EE4000-memory.dmp

          Filesize

          1.9MB

        • memory/2252-95-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-15-0x00000000059B0000-0x0000000005AD4000-memory.dmp

          Filesize

          1.1MB

        • memory/2252-108-0x000000000B280000-0x000000000B2A2000-memory.dmp

          Filesize

          136KB

        • memory/2252-109-0x000000000B2B0000-0x000000000B604000-memory.dmp

          Filesize

          3.3MB

        • memory/2252-110-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

          Filesize

          4KB

        • memory/2252-111-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-121-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/2252-12-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

          Filesize

          4KB

        • memory/2252-119-0x0000000073A10000-0x00000000741C0000-memory.dmp

          Filesize

          7.7MB

        • memory/5008-116-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/5008-114-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/5008-112-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB