Analysis
-
max time kernel
152s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
Resource
win10v2004-20221111-en
General
-
Target
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
-
Size
1.6MB
-
MD5
30cd1f10f393ce0355ab0272e6fe40c0
-
SHA1
ff02be22b87d48e1a9b5b3544fd249937c09665f
-
SHA256
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a
-
SHA512
f43c54ee53310378d50e03b2a150ff3d06fabc8bd1993c63492f96026dfde6ed18b03c2f771b63dd57f9384d04fd72594fd0276c812b2e989d6f7a0f2525e457
-
SSDEEP
24576:Ftb20pkaCqT5TBWgNQ7aW5MB6dDVPHbZdR17P3e8W0A6A:2Vg5tQ7aW5RdVdpPu845
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\system.exe family_neshta \Users\Admin\AppData\Local\Temp\system.exe family_neshta C:\Users\Admin\AppData\Local\Temp\system.exe family_neshta C:\Users\Admin\AppData\Local\Temp\system.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" system.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
system.exenjRAT v0.7d.exesystem.exepid process 1472 system.exe 592 njRAT v0.7d.exe 636 system.exe -
Drops startup file 2 IoCs
Processes:
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe -
Loads dropped DLL 5 IoCs
Processes:
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exesystem.exepid process 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe 1472 system.exe 1472 system.exe -
Drops file in Program Files directory 64 IoCs
Processes:
system.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE system.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe system.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE system.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE system.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe system.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE system.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE system.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE system.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE system.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE system.exe -
Drops file in Windows directory 1 IoCs
Processes:
system.exedescription ioc process File opened for modification C:\Windows\svchost.com system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" system.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exesystem.exedescription pid process target process PID 960 wrote to memory of 1472 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe system.exe PID 960 wrote to memory of 1472 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe system.exe PID 960 wrote to memory of 1472 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe system.exe PID 960 wrote to memory of 1472 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe system.exe PID 960 wrote to memory of 592 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe njRAT v0.7d.exe PID 960 wrote to memory of 592 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe njRAT v0.7d.exe PID 960 wrote to memory of 592 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe njRAT v0.7d.exe PID 960 wrote to memory of 592 960 c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe njRAT v0.7d.exe PID 1472 wrote to memory of 636 1472 system.exe system.exe PID 1472 wrote to memory of 636 1472 system.exe system.exe PID 1472 wrote to memory of 636 1472 system.exe system.exe PID 1472 wrote to memory of 636 1472 system.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe"C:\Users\Admin\AppData\Local\Temp\c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\system.exeC:\Users\Admin\AppData\Local\Temp/system.exe2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe"3⤵
- Executes dropped EXE
PID:636 -
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe"C:\Users\Admin\AppData\Local\Temp/njRAT v0.7d.exe"2⤵
- Executes dropped EXE
PID:592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\system.exeFilesize
145KB
MD516a83869f3a5decb6f2308581d545602
SHA16601f4ec55351bded6fdd1986385e14e225bb2f8
SHA256119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b
SHA512f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\system.exeFilesize
145KB
MD516a83869f3a5decb6f2308581d545602
SHA16601f4ec55351bded6fdd1986385e14e225bb2f8
SHA256119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b
SHA512f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a
-
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exeFilesize
1.7MB
MD527029ca1545784ce16194273a1c69566
SHA14e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1
SHA256753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485
SHA512986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97
-
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exeFilesize
1.7MB
MD527029ca1545784ce16194273a1c69566
SHA14e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1
SHA256753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485
SHA512986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
185KB
MD5a82796f4ff9d86989f4075a626c0ac42
SHA1e918915b1625998b230db18736be6a5a10936b0c
SHA256875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b
SHA5125425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
185KB
MD5a82796f4ff9d86989f4075a626c0ac42
SHA1e918915b1625998b230db18736be6a5a10936b0c
SHA256875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b
SHA5125425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\system.exeFilesize
145KB
MD516a83869f3a5decb6f2308581d545602
SHA16601f4ec55351bded6fdd1986385e14e225bb2f8
SHA256119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b
SHA512f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a
-
\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exeFilesize
1.7MB
MD527029ca1545784ce16194273a1c69566
SHA14e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1
SHA256753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485
SHA512986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
185KB
MD5a82796f4ff9d86989f4075a626c0ac42
SHA1e918915b1625998b230db18736be6a5a10936b0c
SHA256875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b
SHA5125425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
185KB
MD5a82796f4ff9d86989f4075a626c0ac42
SHA1e918915b1625998b230db18736be6a5a10936b0c
SHA256875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b
SHA5125425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98
-
memory/592-68-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmpFilesize
10.1MB
-
memory/592-62-0x0000000000000000-mapping.dmp
-
memory/592-71-0x000007FEEE690000-0x000007FEEF726000-memory.dmpFilesize
16.6MB
-
memory/592-73-0x0000000000566000-0x0000000000585000-memory.dmpFilesize
124KB
-
memory/636-66-0x0000000000000000-mapping.dmp
-
memory/636-70-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmpFilesize
10.1MB
-
memory/636-72-0x000007FEEE690000-0x000007FEEF726000-memory.dmpFilesize
16.6MB
-
memory/960-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1472-57-0x0000000000000000-mapping.dmp