neshta | 4e32bec63d6c3bd84610060a50c7bffb89a7e19c2d41953b613d20f3d74dba2d

Analysis

max time kernel
191s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

samp-npc.exe
Size

392KB
MD5

5a1e2e8b2fca5a40ab426bd3f533b3f2
SHA1

7f73f23a7b16aa3c8262d76fc30b1e514cfbe7de
SHA256

b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805
SHA512

514e32472eac1ebdf963136e1d80f249e4c097a4926e362697d005f3100add5afd7f76a4e1b59b321800eabe5ab42f0261b318939d5c3d63f60e4ed18fc9d9e2
SSDEEP

6144:Pu++THBU7JnFjlJlQ8TM4r0zsaBuxtj/cjAOvP99qqDLuEnIorHSzhl6GkkakJL:9+TIvSGrOsaBuPcjwqnuqI7LaQL

Score

10^/10

neshta sality backdoor persistence spyware upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

samp-npc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	samp-npc.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Executes dropped EXE 1 IoCs

Processes:

samp-npc.exe

pid process

4888 samp-npc.exe

pid	process
4888	samp-npc.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/memory/4888-135-0x0000000002280000-0x000000000330E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

samp-npc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	samp-npc.exe

Drops file in Windows directory 1 IoCs

Processes:

samp-npc.exe

description ioc process

File opened for modification C:\Windows\svchost.com samp-npc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	samp-npc.exe

Modifies registry class 1 IoCs

Processes:

samp-npc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	samp-npc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

samp-npc.exe

description	pid	process	target process
PID 5108 wrote to memory of 4888	5108	samp-npc.exe	samp-npc.exe
PID 5108 wrote to memory of 4888	5108	samp-npc.exe	samp-npc.exe
PID 5108 wrote to memory of 4888	5108	samp-npc.exe	samp-npc.exe

C:\Users\Admin\AppData\Local\Temp\samp-npc.exe
"C:\Users\Admin\AppData\Local\Temp\samp-npc.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe"
  2⤵
  - Executes dropped EXE
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe

Filesize
352KB

MD5
9e569f1233a9742a0562c3ac17932710

SHA1
d5adb4084a72f3d535042aff65ad15933963fa8a

SHA256
004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042

SHA512
078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe

Filesize
352KB

MD5
9e569f1233a9742a0562c3ac17932710

SHA1
d5adb4084a72f3d535042aff65ad15933963fa8a

SHA256
004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042

SHA512
078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81

Download Submit
memory/4888-132-0x0000000000000000-mapping.dmp

Download
memory/4888-135-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/4888-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download