Analysis
-
max time kernel
369s -
max time network
380s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:07
Behavioral task
behavioral1
Sample
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Resource
win10v2004-20221111-en
General
-
Target
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
-
Size
376KB
-
MD5
c5bb813721c30e8b1522c54fccc0b63d
-
SHA1
6384a3c681df2329a8fb5635223f2e29546b7548
-
SHA256
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
-
SHA512
dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
SSDEEP
6144:UEu8DnsYT9qOq4OP888888888888W88888888888lEu8DnsHEu8DnsHEu8DnsHEW:UcDAZ888888888888W88888888888lcz
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta C:\Users\Admin\AppData\Roaming\lsass.exe family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 3392 lsass.exe 4644 lsass.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exedescription pid process target process PID 4288 set thread context of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 3392 set thread context of 4644 3392 lsass.exe lsass.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exedescription pid process target process PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 4288 wrote to memory of 3104 4288 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe PID 3104 wrote to memory of 3392 3104 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 3104 wrote to memory of 3392 3104 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 3104 wrote to memory of 3392 3104 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe PID 3392 wrote to memory of 4644 3392 lsass.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"4⤵
- Executes dropped EXE
PID:4644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
376KB
MD5c5bb813721c30e8b1522c54fccc0b63d
SHA16384a3c681df2329a8fb5635223f2e29546b7548
SHA256801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
-
memory/3104-135-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3104-137-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3104-138-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3104-139-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3104-132-0x0000000000000000-mapping.dmp
-
memory/3104-134-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3104-133-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/3392-140-0x0000000000000000-mapping.dmp
-
memory/4644-143-0x0000000000000000-mapping.dmp
-
memory/4644-150-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4644-151-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB