Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 20:51

General

  • Target

    massexe/winpcap-4.13.exe

  • Size

    464KB

  • MD5

    ce5cf0bb6b5d6da269289007b17652e3

  • SHA1

    9d81fd8d4b20dc7d68e6783ff872ff577dbebd2c

  • SHA256

    4ac6a84eda7b4b474f00118733da6e7f33c35f009a554a6f78d4464cb7101192

  • SHA512

    c503821a71ef2e4861d6009fa48a1b69ff88e8bfc6ff2244f652e2dca60004c80e4cc6b1cb22f67ccd43a26dc037d1c7fcce1ff031ecc16820dbc96675857d77

  • SSDEEP

    6144:k9X3dmkMIdQQkpxYLcP+k471Xr4bjMxiW+D/xqfF3o2KCzDunki8m/VlidXTj2EF:W34kDdc8L4bQA5qt3CxnkLwlQFPcOLsk

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe
    "C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\net.exe
        net stop npf
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop npf
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • C:\Program Files\WinPcap\uninstall.exe

    Filesize

    57KB

    MD5

    b72931b899bc7a809bcc4c6c84c739f9

    SHA1

    a1c8b51971dbe08745a6a58685f576216147bea6

    SHA256

    9a0e8da7819c5a4e9d9aedc782ebac9777b1a98e8bdce9f94d2fa22c48812c58

    SHA512

    1c0d4b068c073b4d98666bd10faf4df4641bca0e76a55b79b16243776de94b16c943801bcfa1eb6c465614c69623d3424fe4c5b81194be106fc2afeadab66c91

  • C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe

    Filesize

    423KB

    MD5

    ae26452c8b3d97ef2037521ac0dd3a8b

    SHA1

    3ad99ec2bf6cc4f947bb09be627c91f82a898aa8

    SHA256

    f28156a96be558dfb83a3d935223a127816ad124b94f92c499400c38078ad842

    SHA512

    f5012a9600542b46eca137f41d58d6a6d3071aa36ca2b4c0f0119639cdf051c0a0e597c674583c4ec5753f8368ca121282acbf084930d2b1f30671f2032448d9

  • C:\Users\Admin\AppData\Local\Temp\nso7310.tmp\options.ini

    Filesize

    319B

    MD5

    8da5d5edb64a6399059ffb9bf76ed60d

    SHA1

    7dc822fdd0e6da23a00a274ff79af4bba6b54dc0

    SHA256

    3e10dccc97bafe7889df9351df4404e7bf0fed77d074cf56a991e2b7e12843c3

    SHA512

    f744ad6645bc8e48c015444cd1949d9db7fbdc33cf330d9ded9321554f60ac9cd631282665f97e0ea330d7be5188a2267f289e74d21034bc58ffd2979ef0619e

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\nso7310.tmp\InstallOptions.dll

    Filesize

    14KB

    MD5

    79327201915b7cf3ba0c5d1a143aa925

    SHA1

    185b6f5520b1c39d3e7d9d91ed099698fac46d92

    SHA256

    1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

    SHA512

    c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

  • \Users\Admin\AppData\Local\Temp\nso7310.tmp\System.dll

    Filesize

    10KB

    MD5

    5c22bbf6730572e50eed4108af6081df

    SHA1

    8a13196f4d47ee7de2e35509058db954db10c72a

    SHA256

    3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

    SHA512

    264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

  • \Users\Admin\AppData\Local\Temp\nso7310.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    6d376db8c870c88759ab0fac0f91bde4

    SHA1

    c1df9264442c84858735550af99c1af55204dc31

    SHA256

    7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

    SHA512

    ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

  • memory/2504-107-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2504-156-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB