Overview

overview

10

Static

static

10

24352a3a.docx

windows7_x64

10

24352a3a.docx

windows10_x64

1

Analysis

  • max time kernel
    123s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    23-10-2021 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24352a3a.docx

  • Size

    10KB

  • MD5

    41d36ccc9c5225adf6be4bfff6747788

  • SHA1

    ca688ea823b17b517ba815a6e18efe431747cc95

  • SHA256

    24352a3a3322b6766dde282ac9b416d7ad614509a22c6dd43b3e68a96e35120b

  • SHA512

    1cde26e8e43d9cfef7e902c1cd397057f0b4049835618c94b9e49a1263d5408491a2361a7e3e1be75c0ca84ba8c10f0abe3a9cab032c156635d491112ea554cd

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 9 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 23 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\24352a3a.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1252
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
            "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1648
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 148
              5⤵
              • Loads dropped DLL
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:932

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\KC94CCU5\VBC_1_~1.EXE
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
      MD5

      c69c103775fd2576a6d99c419ce6fc1c

      SHA1

      386fba9917be1e55feffb6f4dd1a8004f6c0bc2b

      SHA256

      6e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c

      SHA512

      03531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsy2991.tmp\msgnkmrsjrk.dll
      MD5

      5c0e50a26194357d00c289fae4347d89

      SHA1

      3d3f275b783aacb6cc9b013f5164e29fd886c886

      SHA256

      193e2821b11e9f82d683806fa56ce19d0a1efeb8edf430ce0922d77d7e52dcd0

      SHA512

      468d3c0ec971716d1890cdbf6b9990fa254321e0ae6d43b38e88709af5851867f4b033258bacd73ed9637cfac5df7716d8350c353c8fa89a9c14f90670a61b75

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      846c48f81be036e4c12dfa55ae26b703

      SHA1

      c7d363acb97d13a38aa8fc3b4325e24201b3fbeb

      SHA256

      db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008

      SHA512

      9a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0

      Download Submit
    • memory/932-87-0x0000000000000000-mapping.dmp
      Download
    • memory/932-93-0x00000000008D0000-0x00000000008D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1016-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1252-80-0x0000000000000000-mapping.dmp
      Download
    • memory/1252-90-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1308-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1648-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1648-82-0x00000000001C0000-0x00000000001DB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1648-77-0x00000000001C0000-0x00000000001DB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1720-55-0x0000000072631000-0x0000000072634000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1720-58-0x00000000763C1000-0x00000000763C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1720-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1720-56-0x00000000700B1000-0x00000000700B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1720-96-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download