Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 00:09
Static task
static1
Behavioral task
behavioral1
Sample
DUE SOA.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DUE SOA.exe
Resource
win10-en-20211014
General
-
Target
DUE SOA.exe
-
Size
614KB
-
MD5
e6839a4ad6eb043bd41052740c27e1f9
-
SHA1
a03ab63f5c070980be362d3b98bdd55f2574c228
-
SHA256
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
-
SHA512
2524dc118ccbaf7c5bdd462d460e15e7eafeab3cd5a67fdde591fccb5a8a1c6394e3cdec17e9c8fd2a1a9e1861792ce86f1f5c42a2d8f197a278b075559aa19e
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1524-116-0x0000000000000000-mapping.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
DUE SOA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DUE SOA.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
DUE SOA.exepid process 2636 DUE SOA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
DUE SOA.exedescription ioc process File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe DUE SOA.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe DUE SOA.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe DUE SOA.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe DUE SOA.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe DUE SOA.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe DUE SOA.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe DUE SOA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe DUE SOA.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE DUE SOA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE DUE SOA.exe -
Drops file in Windows directory 1 IoCs
Processes:
DUE SOA.exedescription ioc process File opened for modification C:\Windows\svchost.com DUE SOA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
DUE SOA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DUE SOA.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DUE SOA.exedescription pid process target process PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe PID 2636 wrote to memory of 1524 2636 DUE SOA.exe DUE SOA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmC769.tmp\snivhltj.dllMD5
0810741d83c6146718c3c17119879b1a
SHA1298d046f6f0ced5a60ba173847891e61018f34ae
SHA256b237eb4878a416ce0dced719586e3a571aa482b792840a2010291e045e99f68e
SHA51223a945c1934299a6753eb4f4f258a8b06c41b0a679128d9821bbed9ebe587efa0a66acdd670cb4b51b05099cf14e5b92d1e15cb2c54dd1536dadc3c824eb1ba6
-
memory/1524-116-0x0000000000000000-mapping.dmp
-
memory/1524-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB