Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
27-10-2021 09:46
Static task
static1
Behavioral task
behavioral1
Sample
ORDER OCT 28,2021.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ORDER OCT 28,2021.exe
Resource
win10-en-20211014
General
-
Target
ORDER OCT 28,2021.exe
-
Size
502KB
-
MD5
947b72694e25a2fefcfadd3aeec7c0a1
-
SHA1
e1263f029a1d7a673218be6ba58f8f5c53b911fb
-
SHA256
6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
-
SHA512
e4b2084a5259495bbcdebebaad6ca8d8e554374ce21b65ba52a4fec6d1ed5e626c36ef06447331b09fdb8a4651406aab91332068138d7e30c3b947221b7dcaab
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/368-117-0x0000000000000000-mapping.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ORDER OCT 28,2021.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ORDER OCT 28,2021.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
ORDER OCT 28,2021.exepid process 3144 ORDER OCT 28,2021.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
ORDER OCT 28,2021.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ORDER OCT 28,2021.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe ORDER OCT 28,2021.exe -
Drops file in Windows directory 1 IoCs
Processes:
ORDER OCT 28,2021.exedescription ioc process File opened for modification C:\Windows\svchost.com ORDER OCT 28,2021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ORDER OCT 28,2021.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ORDER OCT 28,2021.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ORDER OCT 28,2021.exedescription pid process target process PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 3144 wrote to memory of 368 3144 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvC536.tmp\brkwwr.dllMD5
526d857a1bdb294a6be8ea0c40005bfa
SHA123f31727a792a7deb57d84c730ee6a21ab84ca55
SHA2562fe94d81ec07813f84c6b5a310fa0c58175bc5a4f73b464d6e93c321474038de
SHA512b3a0b21377d00edcc0b599998399a8ea4fa6a936680621e7e9b167d6373dc72069b1d3a174019cec024237797d7e8be4429365465ae34077b055e61759031ccd
-
memory/368-117-0x0000000000000000-mapping.dmp
-
memory/368-118-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB