Analysis
-
max time kernel
134s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 02:39
Static task
static1
Behavioral task
behavioral1
Sample
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
Resource
win10v2004-20221111-en
General
-
Target
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
-
Size
733KB
-
MD5
18e67930a20cde9e27ac3169615b8abc
-
SHA1
8c36f92233be12440c62aa71b47b8f92fe4eec7e
-
SHA256
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f
-
SHA512
431339f98539e75e97745a1efbdc194156f331821ba62f95961b4ea8b1906f31459b4fe96cdca249115a51a0003bd8d22db51ded29775f4a3894b05f88c1f031
-
SSDEEP
12288:qhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aTA25b8jyrSG:qRmJkcoQricOIQxiZY1iaTA2pJB
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
resource yara_rule behavioral1/files/0x0009000000013a13-55.dat family_neshta behavioral1/files/0x0009000000013a13-56.dat family_neshta behavioral1/files/0x0009000000013a13-57.dat family_neshta behavioral1/files/0x0009000000013a13-58.dat family_neshta behavioral1/files/0x0009000000013a13-60.dat family_neshta behavioral1/files/0x0009000000013a13-62.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DLL Files Fixer Activator.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
pid Process 1696 DLL Files Fixer Activator.exe 1540 conhost.exe 960 DLL Files Fixer Activator.exe -
Loads dropped DLL 10 IoCs
pid Process 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 1696 DLL Files Fixer Activator.exe 1696 DLL Files Fixer Activator.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE DLL Files Fixer Activator.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com DLL Files Fixer Activator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DLL Files Fixer Activator.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 960 DLL Files Fixer Activator.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1696 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 27 PID 1896 wrote to memory of 1696 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 27 PID 1896 wrote to memory of 1696 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 27 PID 1896 wrote to memory of 1696 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 27 PID 1896 wrote to memory of 1540 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 28 PID 1896 wrote to memory of 1540 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 28 PID 1896 wrote to memory of 1540 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 28 PID 1896 wrote to memory of 1540 1896 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 28 PID 1696 wrote to memory of 960 1696 DLL Files Fixer Activator.exe 29 PID 1696 wrote to memory of 960 1696 DLL Files Fixer Activator.exe 29 PID 1696 wrote to memory of 960 1696 DLL Files Fixer Activator.exe 29 PID 1696 wrote to memory of 960 1696 DLL Files Fixer Activator.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:960
-
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
PID:1540
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD5a81137304bc201ac1b9a557675f68168
SHA16e3a1e82ff71821e0663ff3211c713f9ce166dd2
SHA2564b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86
SHA5122bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
644KB
MD5a81137304bc201ac1b9a557675f68168
SHA16e3a1e82ff71821e0663ff3211c713f9ce166dd2
SHA2564b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86
SHA5122bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0