Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3798c62010...eN.exe

windows7-x64

10

3798c62010...eN.exe

windows10-2004-x64

10

Resubmissions

12/01/2025, 13:00 UTC

250112-p84zwasrhw 10

12/01/2025, 12:57 UTC

250112-p63c9svrer 10

Analysis

  • max time kernel
    95s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2025, 12:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe

  • Size

    96KB

  • MD5

    7e79a837d0d6342d0f0043c66e1d0640

  • SHA1

    c7b196f0ddae16c70c15d429800edb04e42ab06b

  • SHA256

    3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7e

  • SHA512

    5b7569dbd4f01ea95f879fd643d9e72f139bd41d968713f66f7763ad92b394aacbc5e57bad0d5613640e398619360faeeb44ae9c7e25b7799ac2481effee92bf

  • SSDEEP

    1536:JxqjQ+P04wsmJCJcadB73xzUobbpTiFbPCp5V3:sr85C+SB9Ti+p5V

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe
    "C:\Users\Admin\AppData\Local\Temp\3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\3582-490\3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe"
      2⤵
      • Executes dropped EXE
      PID:4472

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\3798c620106f7bcfb4b270c1f8cadfef5b7aea58440fc85d94e4161d71dabd7eN.exe
    Filesize

    56KB

    MD5

    9318023fc9043f94938158a8f020f964

    SHA1

    b0e8848b270b2034ad7f07f4c6158ce3770cbc55

    SHA256

    0985749c7788c9c4d747d7b5cd730ec6873a47b11c1232d83c3ba014c5450b2e

    SHA512

    93133deb99583eba308cf7d9ff22355932b6c56a72f7148d7fe462bd5218f770815cdac3fb87e86ce6d95ee5f47e49f200d60e69162e0b8db1225decdaebef5e

    Download Submit

  • memory/2036-95-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2036-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2036-98-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.