Overview

overview

10

Static

static

Quote.png.scr

windows7_x64

10

Quote.png.scr

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    09-11-2021 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote.png.scr

  • Size

    528KB

  • MD5

    06b4fd7c3d1966efe2747227379e2649

  • SHA1

    6d1f81c6b8041395342e53476247109a3ca3f433

  • SHA256

    b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b

  • SHA512

    8c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta Payload 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote.png.scr
    "C:\Users\Admin\AppData\Local\Temp\Quote.png.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jraYoU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jraYoU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp52F0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:888
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
      2⤵
      • Modifies system executable filetype association
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp52F0.tmp
    MD5

    2bf0c6d4f10d18156bba0afb9cbc2150

    SHA1

    260f4c4dfef6711b80f5467470aba9a51662ddd0

    SHA256

    2c085f48c95bf56200a62dd8140f3abf9f2336c07e83b8d98c1fef2ff140a060

    SHA512

    9d0837ff85d4508c4b29f3c69a32cef9552b2ce46a03b94427707a28e769265e74615706527f8738c341608f3150047d95e58f9ef70187ecbf4aeff37a0cb842

    Download Submit
  • C:\Users\Admin\AppData\Roaming\jraYoU.exe
    MD5

    06b4fd7c3d1966efe2747227379e2649

    SHA1

    6d1f81c6b8041395342e53476247109a3ca3f433

    SHA256

    b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b

    SHA512

    8c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0

    Download Submit
  • \Users\Admin\AppData\Roaming\jraYoU.exe
    MD5

    06b4fd7c3d1966efe2747227379e2649

    SHA1

    6d1f81c6b8041395342e53476247109a3ca3f433

    SHA256

    b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b

    SHA512

    8c74a3ee29ca9c8c14871be2035c56a397bc81b1a022595fea3e102d5df9243c30e0ad59b7865bd66b3e413c80246493a2a43c6655085f8bb4b9f21f9ff9f8c0

    Download Submit
  • memory/320-55-0x0000000075851000-0x0000000075853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/320-56-0x00000000003D0000-0x00000000003D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/320-57-0x00000000003D1000-0x00000000003D2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/888-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1148-66-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-70-0x00000000004080E4-mapping.dmp
    Download
  • memory/1148-65-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-63-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-67-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-68-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-69-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-64-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-62-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1148-75-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1480-74-0x00000000023D2000-0x00000000023D4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1480-73-0x00000000023D1000-0x00000000023D2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-72-0x00000000023D0000-0x00000000023D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-58-0x0000000000000000-mapping.dmp
    Download