Overview

overview

10

Static

static

ORDER-021406_pdf.jar

windows7_x64

10

ORDER-021406_pdf.jar

windows10-2004_x64

10

Order.xlsx

windows7_x64

1

Order.xlsx

windows10-2004_x64

4

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-02-2022 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-021406_pdf.jar

  • Size

    115KB

  • MD5

    9b1704c9472dec7f1a64667093192a29

  • SHA1

    0412046a5e917a5773043db094e6088897e00519

  • SHA256

    0f081b6ad1242ba0528e7f7058c0f98ec52299272d63844735fa6574ba7ecb85

  • SHA512

    c26b7b6a9ac198f55cf1b832557cc71d03a4fdec0c3f754d1b8762fee359c4191905904e6ebaebf0abfc16c710912437c9ceb6527b5c43ae17996b46368962a1

Score
10/10
neshtapersistencespywarestealersuricata

Malware Config

Signatures

  • Detect Neshta Payload 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE DTLoader Binary Request M2

    suricata: ET MALWARE DTLoader Binary Request M2

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-021406_pdf.jar
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Users\Admin\cq4u.exe
      C:\Users\Admin\cq4u.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1640
          4⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3996
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:2932
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3836 -ip 3836
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe
    MD5

    d56c3670c975055b327498b1f6d21b7d

    SHA1

    11b54837674223b45dddd7300903fa5078a9a04f

    SHA256

    73583c9268aba6ca2ab7572919c71e5d0cb8c4cf1a1c5ce65f7e2a41159cc177

    SHA512

    357ff67ee7a576e417d258ce1aac9fb9a762bedcdba71747cab608f66c67cfcd25c6d112872f7a6c5f3fe9e794764d9f1979c3b78369735ac3e94349f1c77644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe
    MD5

    d56c3670c975055b327498b1f6d21b7d

    SHA1

    11b54837674223b45dddd7300903fa5078a9a04f

    SHA256

    73583c9268aba6ca2ab7572919c71e5d0cb8c4cf1a1c5ce65f7e2a41159cc177

    SHA512

    357ff67ee7a576e417d258ce1aac9fb9a762bedcdba71747cab608f66c67cfcd25c6d112872f7a6c5f3fe9e794764d9f1979c3b78369735ac3e94349f1c77644

    Download Submit
  • C:\Users\Admin\cq4u.exe
    MD5

    71b56603c0d5a3504d5f4ec61540f630

    SHA1

    3999fac595a275739d8142ffc90f1b707b9c3d31

    SHA256

    925d620fc769a4db1a3fb08379fbf8ffbacb73a55768e083950d6f5360fb0645

    SHA512

    fc91f255d42759cfd5cf8eab63f969f1e29c47e1b54c6ca0c897841a052b68a4ac5921587a9aae6267717f88453c101c12de26ead61f11dc25ffa1aeaf2675f1

    Download Submit
  • C:\Users\Admin\cq4u.exe
    MD5

    71b56603c0d5a3504d5f4ec61540f630

    SHA1

    3999fac595a275739d8142ffc90f1b707b9c3d31

    SHA256

    925d620fc769a4db1a3fb08379fbf8ffbacb73a55768e083950d6f5360fb0645

    SHA512

    fc91f255d42759cfd5cf8eab63f969f1e29c47e1b54c6ca0c897841a052b68a4ac5921587a9aae6267717f88453c101c12de26ead61f11dc25ffa1aeaf2675f1

    Download Submit
  • memory/3784-131-0x00000000026A0000-0x00000000117A0000-memory.dmp
    Filesize

    241.0MB

    Download
  • memory/3784-132-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3784-144-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-152-0x0000000000390000-0x00000000003B4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3836-153-0x0000000004D20000-0x0000000004D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-154-0x00000000056D0000-0x000000000576C000-memory.dmp
    Filesize

    624KB

    Download