Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 20:12

General

  • Target

    79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe

  • Size

    478KB

  • MD5

    4b9d7b011de4d04fec3c5852f04dd0c0

  • SHA1

    b4e23b742398abbfd379e1c03056d40644623676

  • SHA256

    79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7

  • SHA512

    01ea75567dd1465b83ea991fcb82ac31a64980a183676add0c29e5874325bd9b206f63caed9e1d96ed30c2b228cda4fbb1b05f9f2944b7c4936bb5aa7b49486b

  • SSDEEP

    3072:mr85CAcUuOsTYzm6bj7lZ6C6+5+8JeoMP71cgDAOj:m9kuO0Yq63SfYedP71cgcOj

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe
    "C:\Users\Admin\AppData\Local\Temp\79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\3582-490\79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

    Filesize

    86KB

    MD5

    c324431305861add7ddf9186a9221bd9

    SHA1

    61855e1f81606f3cb336f842a1cdd697c7a40912

    SHA256

    f331213f5bcfed2a6dba0dc0c97b5b309c00b013dc47bdb4726d51cf2c274570

    SHA512

    4b532b2bf6eaf3f618bb08b0a6f7af88ce23d76df146b2d007d5a8224ea0463525a86aacc996468cd3a513404aa66cbc516ed27aa9bd142e46492b160d411dc8

  • C:\Users\Admin\AppData\Local\Temp\3582-490\79b7c8d3281c294bcf29944b2c278ec9f9ff1a907d92749f6e6120aab39ee3f7N.exe

    Filesize

    438KB

    MD5

    1412e262be0c7c3e9499dd5766fd71c7

    SHA1

    4090920083a26051f631665acdd0b849605a8e41

    SHA256

    5416766cfc53a75dcba1f805e9921da03f71e9025e5dbf689a1fa5af609b890a

    SHA512

    bcbcdba0cf017fe6fc3b3560c9ee427053f69fa0671f0d17d7ee93b9c605562321420294c9d533480c29c0c585bd45ab71430328d4034b8bef0443c0697cbb95

  • memory/552-95-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/552-96-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/552-98-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB