Analysis
-
max time kernel
163s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 06:24
Static task
static1
Behavioral task
behavioral1
Sample
b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll
Resource
win10v2004-20221111-en
General
-
Target
b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll
-
Size
184KB
-
MD5
eded7b23c48aff4af017c06eefc11660
-
SHA1
e04bf50b0202d941e02b9e826790a34334e0b593
-
SHA256
b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc
-
SHA512
7a4a6ce0c3d5c39bc4a8a42c3f402a659d4cd43e9923f579d1d51d1e994d9cb4a51258fdd12d5b9c7e237edde872ec76bcf7792443b3c40d3cd9b23fbc84d985
-
SSDEEP
3072:idSdGlrc/9vNWkFOvJygOOMPCy5oFfIAvsTe7g1C+f8SWnYX:idSQJc/jWko2L/vOyC+f8SNX
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\rundll32mgr.exe family_neshta \Windows\SysWOW64\rundll32mgr.exe family_neshta C:\Windows\SysWOW64\rundll32mgr.exe family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 1032 rundll32mgr.exe -
Processes:
resource yara_rule \Windows\SysWOW64\rundll32mgr.exe upx \Windows\SysWOW64\rundll32mgr.exe upx C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral1/memory/1032-60-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/1032-63-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1324 rundll32.exe 1324 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C39CF9D1-7403-11ED-BA2E-6662AD81E03A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376944506" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C39D20E1-7403-11ED-BA2E-6662AD81E03A} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32mgr.exepid process 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe 1032 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32mgr.exedescription pid process Token: SeDebugPrivilege 1032 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 572 iexplore.exe 640 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 572 iexplore.exe 572 iexplore.exe 640 iexplore.exe 640 iexplore.exe 1752 IEXPLORE.EXE 1752 IEXPLORE.EXE 844 IEXPLORE.EXE 844 IEXPLORE.EXE 1752 IEXPLORE.EXE 1752 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeiexplore.exeiexplore.exedescription pid process target process PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1324 632 rundll32.exe rundll32.exe PID 1324 wrote to memory of 1032 1324 rundll32.exe rundll32mgr.exe PID 1324 wrote to memory of 1032 1324 rundll32.exe rundll32mgr.exe PID 1324 wrote to memory of 1032 1324 rundll32.exe rundll32mgr.exe PID 1324 wrote to memory of 1032 1324 rundll32.exe rundll32mgr.exe PID 1032 wrote to memory of 640 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 640 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 640 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 640 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 572 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 572 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 572 1032 rundll32mgr.exe iexplore.exe PID 1032 wrote to memory of 572 1032 rundll32mgr.exe iexplore.exe PID 572 wrote to memory of 1752 572 iexplore.exe IEXPLORE.EXE PID 572 wrote to memory of 1752 572 iexplore.exe IEXPLORE.EXE PID 572 wrote to memory of 1752 572 iexplore.exe IEXPLORE.EXE PID 572 wrote to memory of 1752 572 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 844 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 844 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 844 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 844 640 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ec390bbc0d3acf7a37c4bfa342de20dc
SHA129ff57a0d281d50edb0516f56de90b3ad954c51c
SHA2564de3bc6a02ecdb31dbd566764557d1479ba91e63441b2dc5c9e367ac35c67e44
SHA5120e03c1f95bf574bb8e80dc77d426c749911f7585993a4557c303bd957954287243306c1a1f6bf35e85cd5d5fa348c2fda474e681ed2942865e75ba227f8ded77
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C39CF9D1-7403-11ED-BA2E-6662AD81E03A}.datFilesize
4KB
MD54fd852f6cdd2a36acc598d0a73b29c82
SHA1d828e22806d747a0c3168598bbe21b4d7aa97d93
SHA2564594cc90338c9245cc1817094f9346ecacfb5b0e53af2b208afef927449ebae3
SHA512a3726a315b7f01793f0ee2009c812258e065e9cbcded671957b114e214a77364c9784587af9e97da6a377e86fb86feaa349db476b4ea68fdd5394900e8196b02
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C39D20E1-7403-11ED-BA2E-6662AD81E03A}.datFilesize
5KB
MD54688e0af95cb1dc0f01edd7b15706af7
SHA1b91d62ed20e9332c368bcec033056b5d26aef18f
SHA2565e958b93e372b76c76b82707376ef7538bcb87fe77cbe75cd316ccb4a8f0dac1
SHA5124acf3f119968ccc6e5076f7142218c73361c447f16f4c69e4b2cdd84862eb8799e63f90ab4c91257e2a7e94bd97cf3efd73cab2fa973499c7345855b9ac11cad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W96EB594.txtFilesize
539B
MD51c65838f61025f6fa15a2a8f708405bf
SHA18d06e206319c2f4124dc5a5f220bf5310fe90b37
SHA25638db9495227e602203a4f150dd11b9cb678b6c841e36a4991a3f090ccc2596b3
SHA5121362e683f10bc64e41a5ab7d287e48c8a83d587b002e60164eeb4a1bbd12729c5ee461c3504a6e4f090f05587c42ba62f9c10db57b67a83f170d9519ab880c02
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
146KB
MD543be420578bb466a71cdd20d9e331349
SHA1ca7b41da373754dc1b9ebc376a8aa849591e73fb
SHA256e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39
SHA512ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
146KB
MD543be420578bb466a71cdd20d9e331349
SHA1ca7b41da373754dc1b9ebc376a8aa849591e73fb
SHA256e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39
SHA512ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
146KB
MD543be420578bb466a71cdd20d9e331349
SHA1ca7b41da373754dc1b9ebc376a8aa849591e73fb
SHA256e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39
SHA512ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e
-
memory/1032-60-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1032-63-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1032-58-0x0000000000000000-mapping.dmp
-
memory/1324-54-0x0000000000000000-mapping.dmp
-
memory/1324-55-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB