Analysis
-
max time kernel
169s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:57
Behavioral task
behavioral1
Sample
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
Resource
win10v2004-20221111-en
General
-
Target
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
-
Size
321KB
-
MD5
4fcdbd9239fbeea3ecdae855601e8de2
-
SHA1
a23903fc13d3c9d9e99b0146502b1f625db1d24a
-
SHA256
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd
-
SHA512
6b6f5f243c5ce206e9679fdda767f0c955e9e7bbe04b2191fdd9e4cefcb2f7e39455dac45749f946b7691211087b6958fefe9013bcf598bf67ebc23bdb67d13c
-
SSDEEP
6144:k9kAW12GhNB0vi2+XuX1ECuoZzMC8cOF3DqBLL/nAVQ:Pv2iNB0KlXumCuoZAC8cOF3D4L9
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exesvchost.comWindows.exepid process 4112 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe 4604 svchost.com 3248 Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe -
Drops file in Program Files directory 28 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com -
Drops file in Windows directory 3 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Windows.exepid process 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe 3248 Windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows.exedescription pid process Token: SeDebugPrivilege 3248 Windows.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exesvchost.comWindows.exedescription pid process target process PID 64 wrote to memory of 4112 64 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe PID 64 wrote to memory of 4112 64 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe PID 64 wrote to memory of 4112 64 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe PID 4112 wrote to memory of 4604 4112 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe svchost.com PID 4112 wrote to memory of 4604 4112 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe svchost.com PID 4112 wrote to memory of 4604 4112 39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe svchost.com PID 4604 wrote to memory of 3248 4604 svchost.com Windows.exe PID 4604 wrote to memory of 3248 4604 svchost.com Windows.exe PID 4604 wrote to memory of 3248 4604 svchost.com Windows.exe PID 3248 wrote to memory of 1424 3248 Windows.exe netsh.exe PID 3248 wrote to memory of 1424 3248 Windows.exe netsh.exe PID 3248 wrote to memory of 1424 3248 Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"C:\Users\Admin\AppData\Local\Temp\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeC:\Users\Admin\AppData\Local\Temp\Windows.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exeFilesize
280KB
MD584823c5b9d32a911ab73b944404db10b
SHA1dbf16f73d3c50efdc2e51bd94604a0511e80b2b2
SHA25614b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a
SHA51231604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exeFilesize
280KB
MD584823c5b9d32a911ab73b944404db10b
SHA1dbf16f73d3c50efdc2e51bd94604a0511e80b2b2
SHA25614b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a
SHA51231604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
280KB
MD584823c5b9d32a911ab73b944404db10b
SHA1dbf16f73d3c50efdc2e51bd94604a0511e80b2b2
SHA25614b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a
SHA51231604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
280KB
MD584823c5b9d32a911ab73b944404db10b
SHA1dbf16f73d3c50efdc2e51bd94604a0511e80b2b2
SHA25614b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a
SHA51231604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573
-
C:\Windows\svchost.comFilesize
40KB
MD5221f616adca2fdccd10e65b547ea8bfb
SHA1561476661e0a1b3bf25b0cbab97d4811bdf8cf30
SHA256ab52d01e1842c5d62814618493c529597ca992a66f1fee4c74c17eccb458eda4
SHA512c216f30ae383d85654c06f69c0d99eabb54ccd4c6221276cb8e1fd9ad2be31cf42b9b4c338f41f1fe3e0d9aca9e7580ab6522949dcfeaffc9de50e859d668303
-
C:\Windows\svchost.comFilesize
40KB
MD5221f616adca2fdccd10e65b547ea8bfb
SHA1561476661e0a1b3bf25b0cbab97d4811bdf8cf30
SHA256ab52d01e1842c5d62814618493c529597ca992a66f1fee4c74c17eccb458eda4
SHA512c216f30ae383d85654c06f69c0d99eabb54ccd4c6221276cb8e1fd9ad2be31cf42b9b4c338f41f1fe3e0d9aca9e7580ab6522949dcfeaffc9de50e859d668303
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/1424-143-0x0000000000000000-mapping.dmp
-
memory/3248-140-0x0000000000000000-mapping.dmp
-
memory/3248-144-0x0000000073FC0000-0x0000000074571000-memory.dmpFilesize
5.7MB
-
memory/3248-145-0x0000000073FC0000-0x0000000074571000-memory.dmpFilesize
5.7MB
-
memory/4112-135-0x0000000073FC0000-0x0000000074571000-memory.dmpFilesize
5.7MB
-
memory/4112-132-0x0000000000000000-mapping.dmp
-
memory/4112-142-0x0000000073FC0000-0x0000000074571000-memory.dmpFilesize
5.7MB
-
memory/4604-136-0x0000000000000000-mapping.dmp