Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20220721-en
General
-
Target
SOA.exe
-
Size
1.9MB
-
MD5
081ccbaad04fe1298a6cd6b04c63fd14
-
SHA1
87a31f4f90543f69f37fdcf7d0a4d8d5ca99de08
-
SHA256
888101d59c219dc57cf3bec1dec7f3880bfb2e6d966da604eb2485741d72f889
-
SHA512
e66b75dd580a3c60b418477e5e960b3893b12882981d4df71515262e0ea5c3062230d9d597c0b866c241a670961d124b5fa5f9052e20514b22642bcb9a7688b3
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1560-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1560-144-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1560-145-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1560-146-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1560-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1560-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" InstallUtil.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SOA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation SOA.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SOA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdxymb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zifieqouw\\Rdxymb.exe\"" SOA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 2100 set thread context of 1560 2100 SOA.exe InstallUtil.exe -
Drops file in Program Files directory 64 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MICROS~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MICROS~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MIF4FD~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MICROS~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe InstallUtil.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MICROS~4.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MIA062~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MID1AD~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe InstallUtil.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe InstallUtil.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe InstallUtil.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\Windows\svchost.com InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeSOA.exepid process 3000 powershell.exe 3000 powershell.exe 2100 SOA.exe 2100 SOA.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA.exepowershell.exedescription pid process Token: SeDebugPrivilege 2100 SOA.exe Token: SeDebugPrivilege 3000 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SOA.exedescription pid process target process PID 2100 wrote to memory of 3000 2100 SOA.exe powershell.exe PID 2100 wrote to memory of 3000 2100 SOA.exe powershell.exe PID 2100 wrote to memory of 3000 2100 SOA.exe powershell.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe PID 2100 wrote to memory of 1560 2100 SOA.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1560
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5c6b31221b6b2442be5303e7db0e0dde0
SHA1adbf330dfd49e3709899b3f267b7f24a65768919
SHA25693457c3efeb0f9a45f9aad4f5a71fb493e3bc479e598875d867ff065cdb958ee
SHA5127cd5fad83b6ff60df45a72680329e6dfeed782a170dac6afa9d05d1b2c1a8261b99584512e49759e24e5b0850fab4a8e68e34b348bed9d65b08d779824895c51