Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10massexe/Ma...UI.exe
windows7-x64
10massexe/Ma...UI.exe
windows10-2004-x64
10massexe/Packet.dll
windows7-x64
3massexe/Packet.dll
windows10-2004-x64
3massexe/masscan.exe
windows7-x64
10massexe/masscan.exe
windows10-2004-x64
10massexe/msvcr100.dll
windows7-x64
3massexe/msvcr100.dll
windows10-2004-x64
3massexe/wi...13.exe
windows7-x64
10massexe/wi...13.exe
windows10-2004-x64
10massexe/wpcap.dll
windows7-x64
3massexe/wpcap.dll
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 20:51
Behavioral task
behavioral1
Sample
massexe/Massscan_GUI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
massexe/Massscan_GUI.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
massexe/Packet.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
massexe/Packet.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
massexe/masscan.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
massexe/masscan.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
massexe/msvcr100.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
massexe/msvcr100.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
massexe/winpcap-4.13.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
massexe/winpcap-4.13.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
massexe/wpcap.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
massexe/wpcap.dll
Resource
win10v2004-20241007-en
General
-
Target
massexe/winpcap-4.13.exe
-
Size
464KB
-
MD5
ce5cf0bb6b5d6da269289007b17652e3
-
SHA1
9d81fd8d4b20dc7d68e6783ff872ff577dbebd2c
-
SHA256
4ac6a84eda7b4b474f00118733da6e7f33c35f009a554a6f78d4464cb7101192
-
SHA512
c503821a71ef2e4861d6009fa48a1b69ff88e8bfc6ff2244f652e2dca60004c80e4cc6b1cb22f67ccd43a26dc037d1c7fcce1ff031ecc16820dbc96675857d77
-
SSDEEP
6144:k9X3dmkMIdQQkpxYLcP+k471Xr4bjMxiW+D/xqfF3o2KCzDunki8m/VlidXTj2EF:W34kDdc8L4bQA5qt3CxnkLwlQFPcOLsk
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral9/files/0x0001000000010319-10.dat family_neshta behavioral9/memory/2504-107-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral9/memory/2504-156-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\npf.sys winpcap-4.13.exe -
Executes dropped EXE 1 IoCs
pid Process 920 winpcap-4.13.exe -
Loads dropped DLL 5 IoCs
pid Process 2504 winpcap-4.13.exe 920 winpcap-4.13.exe 2504 winpcap-4.13.exe 920 winpcap-4.13.exe 920 winpcap-4.13.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" winpcap-4.13.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpcap.dll winpcap-4.13.exe File created C:\Windows\SysWOW64\Packet.dll winpcap-4.13.exe File created C:\Windows\system32\wpcap.dll winpcap-4.13.exe File created C:\Windows\system32\Packet.dll winpcap-4.13.exe File created C:\Windows\SysWOW64\pthreadVC.dll winpcap-4.13.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe winpcap-4.13.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE winpcap-4.13.exe File created C:\Program Files\WinPcap\LICENSE winpcap-4.13.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE winpcap-4.13.exe File created C:\Program Files\WinPcap\rpcapd.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE winpcap-4.13.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE winpcap-4.13.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com winpcap-4.13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winpcap-4.13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winpcap-4.13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral9/files/0x0005000000018704-6.dat nsis_installer_1 behavioral9/files/0x0005000000018704-6.dat nsis_installer_2 behavioral9/files/0x000500000001933f-103.dat nsis_installer_1 behavioral9/files/0x000500000001933f-103.dat nsis_installer_2 -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" winpcap-4.13.exe -
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 920 winpcap-4.13.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 2504 wrote to memory of 920 2504 winpcap-4.13.exe 30 PID 920 wrote to memory of 2608 920 winpcap-4.13.exe 31 PID 920 wrote to memory of 2608 920 winpcap-4.13.exe 31 PID 920 wrote to memory of 2608 920 winpcap-4.13.exe 31 PID 920 wrote to memory of 2608 920 winpcap-4.13.exe 31 PID 2608 wrote to memory of 1788 2608 net.exe 33 PID 2608 wrote to memory of 1788 2608 net.exe 33 PID 2608 wrote to memory of 1788 2608 net.exe 33 PID 2608 wrote to memory of 1788 2608 net.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe"C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\net.exenet stop npf3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf4⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
57KB
MD5b72931b899bc7a809bcc4c6c84c739f9
SHA1a1c8b51971dbe08745a6a58685f576216147bea6
SHA2569a0e8da7819c5a4e9d9aedc782ebac9777b1a98e8bdce9f94d2fa22c48812c58
SHA5121c0d4b068c073b4d98666bd10faf4df4641bca0e76a55b79b16243776de94b16c943801bcfa1eb6c465614c69623d3424fe4c5b81194be106fc2afeadab66c91
-
Filesize
423KB
MD5ae26452c8b3d97ef2037521ac0dd3a8b
SHA13ad99ec2bf6cc4f947bb09be627c91f82a898aa8
SHA256f28156a96be558dfb83a3d935223a127816ad124b94f92c499400c38078ad842
SHA512f5012a9600542b46eca137f41d58d6a6d3071aa36ca2b4c0f0119639cdf051c0a0e597c674583c4ec5753f8368ca121282acbf084930d2b1f30671f2032448d9
-
Filesize
319B
MD58da5d5edb64a6399059ffb9bf76ed60d
SHA17dc822fdd0e6da23a00a274ff79af4bba6b54dc0
SHA2563e10dccc97bafe7889df9351df4404e7bf0fed77d074cf56a991e2b7e12843c3
SHA512f744ad6645bc8e48c015444cd1949d9db7fbdc33cf330d9ded9321554f60ac9cd631282665f97e0ea330d7be5188a2267f289e74d21034bc58ffd2979ef0619e
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
14KB
MD579327201915b7cf3ba0c5d1a143aa925
SHA1185b6f5520b1c39d3e7d9d91ed099698fac46d92
SHA2561edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394
SHA512c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e
-
Filesize
10KB
MD55c22bbf6730572e50eed4108af6081df
SHA18a13196f4d47ee7de2e35509058db954db10c72a
SHA2563198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec
SHA512264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18
-
Filesize
6KB
MD56d376db8c870c88759ab0fac0f91bde4
SHA1c1df9264442c84858735550af99c1af55204dc31
SHA2567994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9
SHA512ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23