Analysis
-
max time kernel
151s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 07:07
Behavioral task
behavioral1
Sample
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Resource
win10v2004-20221111-en
General
-
Target
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
-
Size
376KB
-
MD5
c5bb813721c30e8b1522c54fccc0b63d
-
SHA1
6384a3c681df2329a8fb5635223f2e29546b7548
-
SHA256
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
-
SHA512
dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
SSDEEP
6144:UEu8DnsYT9qOq4OP888888888888W88888888888lEu8DnsHEu8DnsHEu8DnsHEW:UcDAZ888888888888W88888888888lcz
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\lsass.exe family_neshta \Users\Admin\AppData\Roaming\lsass.exe family_neshta C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 672 lsass.exe 908 lsass.exe -
Loads dropped DLL 2 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exepid process 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exedescription pid process target process PID 1296 set thread context of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 672 set thread context of 908 672 lsass.exe lsass.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exedescription pid process target process PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1296 wrote to memory of 1740 1296 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 1740 wrote to memory of 672 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 1740 wrote to memory of 672 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 1740 wrote to memory of 672 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 1740 wrote to memory of 672 1740 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe PID 672 wrote to memory of 908 672 lsass.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"4⤵
- Executes dropped EXE
PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
memory/672-64-0x0000000000000000-mapping.dmp
-
memory/908-71-0x0000000000403A3F-mapping.dmp
-
memory/908-76-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/908-77-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-61-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-60-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-59-0x00000000759C1000-0x00000000759C3000-memory.dmpFilesize
8KB
-
memory/1740-58-0x0000000000403A3F-mapping.dmp
-
memory/1740-56-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-54-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-55-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/1740-75-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB