Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2024, 02:40

General

  • Target

    abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe

  • Size

    2.8MB

  • MD5

    3d0a200a7a10fc050f676cab55641882

  • SHA1

    feb4e4c35face5b3cff34abbd340244485137183

  • SHA256

    abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1

  • SHA512

    97a11508b65d52cbb7d341b33672bd56f66de7bbc7ebec23100e6b938a3322e3b755a6c3faf219e10907f428385be066fd05824310092ce31434a138d82bb0fd

  • SSDEEP

    49152:S9+hB4W9rsYBtYnPnQyTdDyHP8+FVKnHKduZYFMZh3uSg:SO2srDYPnXyk+FVO66a

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
    "C:\Users\Admin\AppData\Local\Temp\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

    Filesize

    859KB

    MD5

    754309b7b83050a50768236ee966224f

    SHA1

    10ed7efc2e594417ddeb00a42deb8fd9f804ed53

    SHA256

    acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

    SHA512

    e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe

    Filesize

    2.8MB

    MD5

    c1d41be0f40221538bc94a337fb11fbf

    SHA1

    8be8593c93d13ceb11bb3c1a8900bbc1f40139a4

    SHA256

    8ef980356e73b3719ae029ccc2caa8d5f740d8f00248f6b3e0dbf95b2a77afa0

    SHA512

    173b7a56b0e5eabfdd0b278bb67cfc97bea088c8f137589720f7e18de7062a033ea4d3b726ba57559f2aec15223d2dc8d73f700f5173d5d4e2ab26fab276d71a

  • memory/804-90-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/804-91-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/804-92-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/804-94-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2548-12-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB