Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
09-11-2021 20:21
Static task
static1
Behavioral task
behavioral1
Sample
Quote.png.scr
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Quote.png.scr
Resource
win10-en-20211014
General
-
Target
Quote.png.scr
-
Size
528KB
-
MD5
06b4fd7c3d1966efe2747227379e2649
-
SHA1
6d1f81c6b8041395342e53476247109a3ca3f433
-
SHA256
b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
-
SHA512
8c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1148-69-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1148-70-0x00000000004080E4-mapping.dmp family_neshta behavioral1/memory/1148-75-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" MSBuild.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
MSBuild.exepid process 1148 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quote.png.scrdescription pid process target process PID 320 set thread context of 1148 320 Quote.png.scr MSBuild.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE MSBuild.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe MSBuild.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe MSBuild.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE MSBuild.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE MSBuild.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe MSBuild.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe MSBuild.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe MSBuild.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe MSBuild.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe MSBuild.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE MSBuild.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE MSBuild.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE MSBuild.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE MSBuild.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\svchost.com MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Quote.png.scrdescription pid process target process PID 320 wrote to memory of 1480 320 Quote.png.scr powershell.exe PID 320 wrote to memory of 1480 320 Quote.png.scr powershell.exe PID 320 wrote to memory of 1480 320 Quote.png.scr powershell.exe PID 320 wrote to memory of 1480 320 Quote.png.scr powershell.exe PID 320 wrote to memory of 888 320 Quote.png.scr schtasks.exe PID 320 wrote to memory of 888 320 Quote.png.scr schtasks.exe PID 320 wrote to memory of 888 320 Quote.png.scr schtasks.exe PID 320 wrote to memory of 888 320 Quote.png.scr schtasks.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe PID 320 wrote to memory of 1148 320 Quote.png.scr MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.png.scr"C:\Users\Admin\AppData\Local\Temp\Quote.png.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jraYoU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jraYoU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp52F0.tmp"2⤵
- Creates scheduled task(s)
PID:888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp52F0.tmpMD5
2bf0c6d4f10d18156bba0afb9cbc2150
SHA1260f4c4dfef6711b80f5467470aba9a51662ddd0
SHA2562c085f48c95bf56200a62dd8140f3abf9f2336c07e83b8d98c1fef2ff140a060
SHA5129d0837ff85d4508c4b29f3c69a32cef9552b2ce46a03b94427707a28e769265e74615706527f8738c341608f3150047d95e58f9ef70187ecbf4aeff37a0cb842
-
C:\Users\Admin\AppData\Roaming\jraYoU.exeMD5
06b4fd7c3d1966efe2747227379e2649
SHA16d1f81c6b8041395342e53476247109a3ca3f433
SHA256b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
SHA5128c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0
-
\Users\Admin\AppData\Roaming\jraYoU.exeMD5
06b4fd7c3d1966efe2747227379e2649
SHA16d1f81c6b8041395342e53476247109a3ca3f433
SHA256b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
SHA5128c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0
-
memory/320-55-0x0000000075851000-0x0000000075853000-memory.dmpFilesize
8KB
-
memory/320-56-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/320-57-0x00000000003D1000-0x00000000003D2000-memory.dmpFilesize
4KB
-
memory/888-59-0x0000000000000000-mapping.dmp
-
memory/1148-66-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-70-0x00000000004080E4-mapping.dmp
-
memory/1148-65-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-67-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-68-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-69-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-64-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-62-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1148-75-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1480-74-0x00000000023D2000-0x00000000023D4000-memory.dmpFilesize
8KB
-
memory/1480-73-0x00000000023D1000-0x00000000023D2000-memory.dmpFilesize
4KB
-
memory/1480-72-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1480-58-0x0000000000000000-mapping.dmp