Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 21:49
Behavioral task
behavioral1
Sample
f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
Resource
win7-20220812-en
General
-
Target
f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
-
Size
1.4MB
-
MD5
8365e42574d2d4d21e9442c58d14023a
-
SHA1
90d11f875cfd06a758b425a1c52b63bc426a77f1
-
SHA256
f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a
-
SHA512
e682ccfaca84deb03911fff659d755e34d280698ba5601702eb3b8e38a934edf8f6f5603fd591d250d749fbc84727c1e7b68116c1aa1e45a111e24609d4b10c7
-
SSDEEP
12288:Mls1nC+xpwcRrabrMoQ3Mls1nC+xpE05uuML+CHz7mjiuCzQl+D387h+y9PB22lG:PsnMoQ3PilNbzqMzQADs7h+EJJl
Malware Config
Extracted
njrat
0.7d
تشفير كلين xor
mrhackeralisaad.ddns.net:14789
c6fae74375b915979c7c26341c1a9e41
-
reg_key
c6fae74375b915979c7c26341c1a9e41
-
splitter
|'|'|
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/340-54-0x0000000000AA0000-0x0000000000BFA000-memory.dmp family_neshta \Users\Admin\AppData\Local\Tempprogram.exe family_neshta \Users\Admin\AppData\Local\Tempprogram.exe family_neshta C:\Users\Admin\AppData\Local\Tempprogram.exe family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
Tempserver.exeTempprogram.exechrome.exepid process 1340 Tempserver.exe 1240 Tempprogram.exe 1576 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 4 IoCs
Processes:
f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exeTempserver.exepid process 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe 1340 Tempserver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6fae74375b915979c7c26341c1a9e41 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6fae74375b915979c7c26341c1a9e41 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 1576 chrome.exe Token: 33 1576 chrome.exe Token: SeIncBasePriorityPrivilege 1576 chrome.exe Token: 33 1576 chrome.exe Token: SeIncBasePriorityPrivilege 1576 chrome.exe Token: 33 1576 chrome.exe Token: SeIncBasePriorityPrivilege 1576 chrome.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exeTempserver.exechrome.exedescription pid process target process PID 340 wrote to memory of 1340 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempserver.exe PID 340 wrote to memory of 1340 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempserver.exe PID 340 wrote to memory of 1340 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempserver.exe PID 340 wrote to memory of 1340 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempserver.exe PID 340 wrote to memory of 1240 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempprogram.exe PID 340 wrote to memory of 1240 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempprogram.exe PID 340 wrote to memory of 1240 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempprogram.exe PID 340 wrote to memory of 1240 340 f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe Tempprogram.exe PID 1340 wrote to memory of 1576 1340 Tempserver.exe chrome.exe PID 1340 wrote to memory of 1576 1340 Tempserver.exe chrome.exe PID 1340 wrote to memory of 1576 1340 Tempserver.exe chrome.exe PID 1340 wrote to memory of 1576 1340 Tempserver.exe chrome.exe PID 1576 wrote to memory of 1924 1576 chrome.exe netsh.exe PID 1576 wrote to memory of 1924 1576 chrome.exe netsh.exe PID 1576 wrote to memory of 1924 1576 chrome.exe netsh.exe PID 1576 wrote to memory of 1924 1576 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe"C:\Users\Admin\AppData\Local\Temp\f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Tempprogram.exe"C:\Users\Admin\AppData\Local\Tempprogram.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
C:\Users\Admin\AppData\Local\Tempprogram.exeFilesize
855KB
MD5e5bec46bb12121fa39247e2babac3745
SHA19aceaa28449d292014af8938738af2247320b8dc
SHA256947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e
SHA51254cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
\Users\Admin\AppData\Local\Tempprogram.exeFilesize
855KB
MD5e5bec46bb12121fa39247e2babac3745
SHA19aceaa28449d292014af8938738af2247320b8dc
SHA256947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e
SHA51254cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906
-
\Users\Admin\AppData\Local\Tempprogram.exeFilesize
855KB
MD5e5bec46bb12121fa39247e2babac3745
SHA19aceaa28449d292014af8938738af2247320b8dc
SHA256947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e
SHA51254cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906
-
\Users\Admin\AppData\Local\Tempserver.exeFilesize
471KB
MD528a98cfd0702a6f39458c7a3596dc06f
SHA1be12db2b480ee58d910cc62d9af737d31b8bcf4f
SHA2568cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a
SHA512e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef
-
memory/340-54-0x0000000000AA0000-0x0000000000BFA000-memory.dmpFilesize
1.4MB
-
memory/340-55-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/1240-63-0x0000000000000000-mapping.dmp
-
memory/1340-60-0x00000000001A0000-0x000000000021C000-memory.dmpFilesize
496KB
-
memory/1340-57-0x0000000000000000-mapping.dmp
-
memory/1340-66-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB
-
memory/1576-69-0x0000000000000000-mapping.dmp
-
memory/1576-72-0x0000000000AE0000-0x0000000000B5C000-memory.dmpFilesize
496KB
-
memory/1924-73-0x0000000000000000-mapping.dmp