neshta | f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
Size

1.4MB
MD5

8365e42574d2d4d21e9442c58d14023a
SHA1

90d11f875cfd06a758b425a1c52b63bc426a77f1
SHA256

f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a
SHA512

e682ccfaca84deb03911fff659d755e34d280698ba5601702eb3b8e38a934edf8f6f5603fd591d250d749fbc84727c1e7b68116c1aa1e45a111e24609d4b10c7
SSDEEP

12288:Mls1nC+xpwcRrabrMoQ3Mls1nC+xpE05uuML+CHz7mjiuCzQl+D387h+y9PB22lG:PsnMoQ3PilNbzqMzQADs7h+EJJl

Score

10^/10

neshta njrat تشفير كلين xor evasion persistence spyware trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

تشفير كلين xor

mrhackeralisaad.ddns.net:14789

Mutex

c6fae74375b915979c7c26341c1a9e41

Attributes

reg_key
c6fae74375b915979c7c26341c1a9e41
splitter
|'|'|

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/340-54-0x0000000000AA0000-0x0000000000BFA000-memory.dmp	family_neshta
\Users\Admin\AppData\Local\Tempprogram.exe	family_neshta
\Users\Admin\AppData\Local\Tempprogram.exe	family_neshta
C:\Users\Admin\AppData\Local\Tempprogram.exe	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Tempserver.exeTempprogram.exechrome.exe

pid process

1340 Tempserver.exe
1240 Tempprogram.exe
1576 chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1924 netsh.exe

pid	process
1340	Tempserver.exe
1240	Tempprogram.exe
1576	chrome.exe

pid	process
1924	netsh.exe

Loads dropped DLL 4 IoCs

Processes:

f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exeTempserver.exe

pid	process
340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
1340	Tempserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6fae74375b915979c7c26341c1a9e41 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6fae74375b915979c7c26341c1a9e41 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeDebugPrivilege	1576	chrome.exe
Token: 33	1576	chrome.exe
Token: SeIncBasePriorityPrivilege	1576	chrome.exe
Token: 33	1576	chrome.exe
Token: SeIncBasePriorityPrivilege	1576	chrome.exe
Token: 33	1576	chrome.exe
Token: SeIncBasePriorityPrivilege	1576	chrome.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exeTempserver.exechrome.exe

description	pid	process	target process
PID 340 wrote to memory of 1340	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempserver.exe
PID 340 wrote to memory of 1340	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempserver.exe
PID 340 wrote to memory of 1340	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempserver.exe
PID 340 wrote to memory of 1340	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempserver.exe
PID 340 wrote to memory of 1240	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempprogram.exe
PID 340 wrote to memory of 1240	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempprogram.exe
PID 340 wrote to memory of 1240	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempprogram.exe
PID 340 wrote to memory of 1240	340	f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe	Tempprogram.exe
PID 1340 wrote to memory of 1576	1340	Tempserver.exe	chrome.exe
PID 1340 wrote to memory of 1576	1340	Tempserver.exe	chrome.exe
PID 1340 wrote to memory of 1576	1340	Tempserver.exe	chrome.exe
PID 1340 wrote to memory of 1576	1340	Tempserver.exe	chrome.exe
PID 1576 wrote to memory of 1924	1576	chrome.exe	netsh.exe
PID 1576 wrote to memory of 1924	1576	chrome.exe	netsh.exe
PID 1576 wrote to memory of 1924	1576	chrome.exe	netsh.exe
PID 1576 wrote to memory of 1924	1576	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe
"C:\Users\Admin\AppData\Local\Temp\f7cb6d99da2237b9ab3c2545f00aa0dc4b2dfda9cdc9c49824c65efb154e853a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1924

C:\Users\Admin\AppData\Local\Tempprogram.exe
"C:\Users\Admin\AppData\Local\Tempprogram.exe"
2⤵
- Executes dropped EXE
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
C:\Users\Admin\AppData\Local\Tempprogram.exe
Filesize
855KB

MD5
e5bec46bb12121fa39247e2babac3745

SHA1
9aceaa28449d292014af8938738af2247320b8dc

SHA256
947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e

SHA512
54cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
\Users\Admin\AppData\Local\Tempprogram.exe
Filesize
855KB

MD5
e5bec46bb12121fa39247e2babac3745

SHA1
9aceaa28449d292014af8938738af2247320b8dc

SHA256
947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e

SHA512
54cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906

Download Submit
\Users\Admin\AppData\Local\Tempprogram.exe
Filesize
855KB

MD5
e5bec46bb12121fa39247e2babac3745

SHA1
9aceaa28449d292014af8938738af2247320b8dc

SHA256
947627fa9de64f743c13768cbf846154707b36917414fe8c60cd35fc3c2f365e

SHA512
54cc4d61df12ace344b145c83d870640ea179b01b29a1a6f5bc0a66e0c5dbbd48f9db6891eeb94dcb0d21447eb3b6316e570e55759b2d7ef9e5c99830262d906

Download Submit
\Users\Admin\AppData\Local\Tempserver.exe
Filesize
471KB

MD5
28a98cfd0702a6f39458c7a3596dc06f

SHA1
be12db2b480ee58d910cc62d9af737d31b8bcf4f

SHA256
8cfcf5cc20dd5a43dd5c28df5063af64e7f4934870bbc8d9a214cebf051edf9a

SHA512
e58ca2a429eb0948463c03322f2c17e8bf4429b092e6efea1eb93743b7ae19fef4bd6de45dea20e5c9903fe0dd338d7be9cfe94eeace969683b4e0dbdc3517ef

Download Submit
memory/340-54-0x0000000000AA0000-0x0000000000BFA000-memory.dmp

Filesize
1.4MB

Download
memory/340-55-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1240-63-0x0000000000000000-mapping.dmp

Download
memory/1340-60-0x00000000001A0000-0x000000000021C000-memory.dmp

Filesize
496KB

Download
memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1340-66-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1576-69-0x0000000000000000-mapping.dmp

Download
memory/1576-72-0x0000000000AE0000-0x0000000000B5C000-memory.dmp

Filesize
496KB

Download
memory/1924-73-0x0000000000000000-mapping.dmp

Download