Analysis
-
max time kernel
114s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220721-en
General
-
Target
1.exe
-
Size
851KB
-
MD5
286099dac2f03c7764d9fc6d8c5e02e2
-
SHA1
eedd56af4f225f991eb63f37597d7ab6e4abeac7
-
SHA256
4d6bee9938b85e65fabba0b920efcff479e565ebbdd91a7d6a631fa7475e9f74
-
SHA512
63cf51afd8a4cf8c8afdb498dbf589b12b86c8b978313e9a41ad9dbf1f511cac55b938fa479b8d76e1330df7b7dd6c5be94759165467eb234d6dbc5380edc3b9
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1048-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1048-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1048-144-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1048-145-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1048-147-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1048-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" InstallUtil.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddhnvo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wirkpkfbm\\Ddhnvo.exe\"" 1.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9A050A08-4B42-49F9-B35B-87045164578F}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2954CD32-DCE7-4530-899B-28A397B528B8}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1.exedescription pid process target process PID 4324 set thread context of 1048 4324 1.exe InstallUtil.exe -
Drops file in Program Files directory 64 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MI391D~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13163~1.19\MICROS~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~4.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MI9C33~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\Windows\svchost.com InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Modifies registry class 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
1.exepowershell.exepid process 4324 1.exe 1264 powershell.exe 1264 powershell.exe 4324 1.exe 4324 1.exe 4324 1.exe 4324 1.exe 4324 1.exe 4324 1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1.exepowershell.exedescription pid process Token: SeDebugPrivilege 4324 1.exe Token: SeDebugPrivilege 1264 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
1.exedescription pid process target process PID 4324 wrote to memory of 1264 4324 1.exe powershell.exe PID 4324 wrote to memory of 1264 4324 1.exe powershell.exe PID 4324 wrote to memory of 1264 4324 1.exe powershell.exe PID 4324 wrote to memory of 1044 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1044 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1044 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe PID 4324 wrote to memory of 1048 4324 1.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1048
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
891KB
MD52bae35cb37885221cf82174985f7854d
SHA10bd3a8e0c33f9b3104c78b67d44bad5d0fbb6303
SHA2569bf43016236415af949773be2d6977c08e450f66efd95b83febf2148f8dc1307
SHA51250bf9d587eb3d3df7ee4a41e8d87568a200f662c39213127a7893d3fd68830a8bc79940a1f8ba895b0e52057744532b6fe120b9214bf15ada13523ab16c6ff3f