Analysis
-
max time kernel
121s -
max time network
135s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1.exe
Resource
win10-en-20210920
General
-
Target
1.exe
-
Size
614KB
-
MD5
e6839a4ad6eb043bd41052740c27e1f9
-
SHA1
a03ab63f5c070980be362d3b98bdd55f2574c228
-
SHA256
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
-
SHA512
2524dc118ccbaf7c5bdd462d460e15e7eafeab3cd5a67fdde591fccb5a8a1c6394e3cdec17e9c8fd2a1a9e1861792ce86f1f5c42a2d8f197a278b075559aa19e
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2272-116-0x0000000000000000-mapping.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
1.exepid process 2872 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 1.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 1.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 1.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 1.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 1.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 1.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 1.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 1.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 1.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 1.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 1.exe -
Drops file in Windows directory 1 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Windows\svchost.com 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1.exedescription pid process target process PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe PID 2872 wrote to memory of 2272 2872 1.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfD004.tmp\snivhltj.dllMD5
0810741d83c6146718c3c17119879b1a
SHA1298d046f6f0ced5a60ba173847891e61018f34ae
SHA256b237eb4878a416ce0dced719586e3a571aa482b792840a2010291e045e99f68e
SHA51223a945c1934299a6753eb4f4f258a8b06c41b0a679128d9821bbed9ebe587efa0a66acdd670cb4b51b05099cf14e5b92d1e15cb2c54dd1536dadc3c824eb1ba6
-
memory/2272-116-0x0000000000000000-mapping.dmp
-
memory/2272-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB