Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a948d5a671...6e.exe

windows7-x64

10

a948d5a671...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/12/2024, 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

  • Size

    2.2MB

  • MD5

    22ad737f258a118843efa7f83ff8466e

  • SHA1

    4a532fa9ff30909e0bca7b574eabe7623fad84ae

  • SHA256

    a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e

  • SHA512

    d11d20814dcce8d7edf05c6d8d8bc6ca64dc5da1da23e1c4cb2165734ff358d45b0fcaa93dcf6296b721b47491143aaa2d6270c6a7de783fd79686171dae8788

  • SSDEEP

    49152:Qifu1DBgutBPNcpwcjVpNMkCZZpsYpmwZ3hQ8cTEoDgwRO:QvguPP4wc3NMkCGGmugTEKgwRO

Score
10/10
mimicneshtadiscoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 23 IoCs
  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
    "C:\Users\Admin\AppData\Local\Temp\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe i
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p89905472210203597 Everything64.dll
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe x -y -p89905472210203597 Everything64.dll
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
    Filesize

    859KB

    MD5

    02ee6a3424782531461fb2f10713d3c1

    SHA1

    b581a2c365d93ebb629e8363fd9f69afc673123f

    SHA256

    ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

    SHA512

    6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

    Download Submit

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    Download Submit

  • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
    Filesize

    186KB

    MD5

    58b58875a50a0d8b5e7be7d6ac685164

    SHA1

    1e0b89c1b2585c76e758e9141b846ed4477b0662

    SHA256

    2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

    SHA512

    d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

    Download Submit

  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
    Filesize

    1.1MB

    MD5

    566ed4f62fdc96f175afedd811fa0370

    SHA1

    d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

    SHA256

    e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

    SHA512

    cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

    Download Submit

  • C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
    Filesize

    381KB

    MD5

    3ec4922dbca2d07815cf28144193ded9

    SHA1

    75cda36469743fbc292da2684e76a26473f04a6d

    SHA256

    0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

    SHA512

    956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

    Download Submit

  • C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE
    Filesize

    503KB

    MD5

    3f67da7e800cd5b4af2283a9d74d2808

    SHA1

    f9288d052b20a9f4527e5a0f87f4249f5e4440f7

    SHA256

    31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

    SHA512

    6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

    Download Submit

  • C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
    Filesize

    230KB

    MD5

    e5589ec1e4edb74cc7facdaac2acabfd

    SHA1

    9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

    SHA256

    6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

    SHA512

    f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

    Download Submit

  • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
    Filesize

    439KB

    MD5

    400836f307cf7dbfb469cefd3b0391e7

    SHA1

    7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

    SHA256

    cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

    SHA512

    aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

    Download Submit

  • C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE
    Filesize

    144KB

    MD5

    a2dddf04b395f8a08f12001318cc72a4

    SHA1

    1bd72e6e9230d94f07297c6fcde3d7f752563198

    SHA256

    b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

    SHA512

    2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

    Download Submit

  • C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
    Filesize

    606KB

    MD5

    9b1c9f74ac985eab6f8e5b27441a757b

    SHA1

    9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

    SHA256

    2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

    SHA512

    d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

    Download Submit

  • C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
    Filesize

    141KB

    MD5

    7e3b8ddfa6bd68ca8f557254c3188aea

    SHA1

    bafaaaa987c86048b0cf0153e1147e1bbad39b0c

    SHA256

    8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2

    SHA512

    675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

    Download Submit

  • C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
    Filesize

    674KB

    MD5

    97510a7d9bf0811a6ea89fad85a9f3f3

    SHA1

    2ac0c49b66a92789be65580a38ae9798237711db

    SHA256

    c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

    SHA512

    2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
    Filesize

    485KB

    MD5

    86749cd13537a694795be5d87ef7106d

    SHA1

    538030845680a8be8219618daee29e368dc1e06c

    SHA256

    8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

    SHA512

    7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
    Filesize

    674KB

    MD5

    9c10a5ec52c145d340df7eafdb69c478

    SHA1

    57f3d99e41d123ad5f185fc21454367a7285db42

    SHA256

    ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

    SHA512

    2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
    Filesize

    536KB

    MD5

    c1d222fe7c6311e0b8d75a8728aa4ce7

    SHA1

    fe5ec004827c9ac8ddc954fabcfc1e196f49f340

    SHA256

    ea992e36be623bdafce1062dba476a76dd4b72bcb9173431519227a07b462d18

    SHA512

    0a209fe566a12274bac9e11937f6aa459f13e73658d6fff63db8fe9b654e9e87aa0406e3454d68ec1897b0465a9c7d9348f45edff434856736bdfa4445e34fa3

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    Filesize

    485KB

    MD5

    87f15006aea3b4433e226882a56f188d

    SHA1

    e3ad6beb8229af62b0824151dbf546c0506d4f65

    SHA256

    8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

    SHA512

    b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    Filesize

    536KB

    MD5

    f37059ff5298f91aa09efc2b9e9e0f82

    SHA1

    20e9046ad7e27cacd549a1cf3f4cee6488f1c9c9

    SHA256

    8c1e7b048883e735399b83cb87fdde347b22ea1a5fa2b6ca02fb08d6a242d14e

    SHA512

    72f7b12d5981d9541d91e540ae6d7f9ed3fbfd90a38d97a95adb4c86cf8fe218077d6ce0011be9694ee4bfe8f50ae2d6e754fa82d7de396cd767a417f3a4ac21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]
    Filesize

    2.3MB

    MD5

    6775b0b2cdd7cd537f132f77b73144b0

    SHA1

    a1bfc2ea21424a20431d0ac527916c7463eabb65

    SHA256

    4d5a5a19280efcff80150219ab749ca08c692e876b3a9f6a71c1af63b971f47f

    SHA512

    b1bea613fdb9c3d049243f82cb7370ac0c62eed38e6eec3d3312ca3f7e4cfc12283f244ea1eafafa123927b41cc9667603a55058991e8a23e8a4df151de65749

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
    Filesize

    548B

    MD5

    742c2400f2de964d0cce4a8dabadd708

    SHA1

    c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

    SHA256

    2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

    SHA512

    63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
    Filesize

    550B

    MD5

    51014c0c06acdd80f9ae4469e7d30a9e

    SHA1

    204e6a57c44242fad874377851b13099dfe60176

    SHA256

    89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

    SHA512

    79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
    Filesize

    1.2MB

    MD5

    3983d31b7a906d3351ef223ab4ffaa0a

    SHA1

    65b317231fbe779516558261b4b0f3e839e7e946

    SHA256

    db3ba29eb00805d400c41be842b176a24c2a14efffb9a78ed34e630749bf31c1

    SHA512

    5231b5b31aa9702aef52fcde8ce384477ff4ff1a7cc9f9a634035aaa2d328e0eaf991228b71b5e0c51ecf737b95c6a6a937808d22a4ca64432a2c74fbd9f4595

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
    Filesize

    350KB

    MD5

    803df907d936e08fbbd06020c411be93

    SHA1

    4aa4b498ae037a2b0479659374a5c3af5f6b8d97

    SHA256

    e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

    SHA512

    5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
    Filesize

    8B

    MD5

    cc96e7af572ffb6dd846a23596f2b427

    SHA1

    fc34085793b0822ccd2951aba17d69c1f7ff48e9

    SHA256

    b7dfa87e9583b6e9505e78042872bb7ebfd665827875dfb4e3c9c6c6ab410a34

    SHA512

    ffeaa0a9ac3c3c08fdc8e1081e274dab9fa99bcd7b4b7ae1193c8a5a752f25accb0c2016968281621164e98daf1a05b5bbddd26b25a6991b6cbd782bd3db442f

    Download Submit

  • C:\Windows\directx.sys
    Filesize

    55B

    MD5

    46bc0aeaa9047291ac2842d4a67418a6

    SHA1

    25991aecd5292a2ef58da7ec7335a7216ae1e15f

    SHA256

    e3ee98d23efd940c86489c855abc5882850a9ba29ec5aa50423f3b6cc38f36e9

    SHA512

    f0b3ab4b7466c747c6f2d7e57cff68f919610d1fbc5fc89f7890689761b8a015c77d6b69846ea8c1e2b578a84d668d6e00d466744f421f754c7212da35ed089d

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
    Filesize

    2.2MB

    MD5

    801c430414f434df6fc24a9891b3b118

    SHA1

    27301b1a6c2078f4eec06ec6f1f947f22a1598fc

    SHA256

    2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68

    SHA512

    e2c5e42a09c235d89ceb298ed27815c5b922e547568111ae916032f5cb85d89b197080d6641cf697f2fa18e11aebe66bef1669dc2155e9a89bfeb5e05eff1c29

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
    Filesize

    772KB

    MD5

    b93eb0a48c91a53bda6a1a074a4b431e

    SHA1

    ac693a14c697b1a8ee80318e260e817b8ee2aa86

    SHA256

    ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

    SHA512

    732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

    Download Submit

  • memory/2404-129-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2404-126-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2496-132-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2496-127-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2716-142-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download