Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 01:44
Static task
static1
Behavioral task
behavioral1
Sample
aaaa.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
aaaa.exe
Resource
win10v2004-20230915-en
General
-
Target
aaaa.exe
-
Size
3.3MB
-
MD5
b6a18b64ba64922793c6849464a26332
-
SHA1
883da851ff68f948ab237679e0df43561bab0a18
-
SHA256
073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c
-
SHA512
e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3
-
SSDEEP
98304:P9qUaXiv7NMhB0qCp1KOU/Yqd0AuU0wA:P9Cy2hBOcgqd0G
Malware Config
Signatures
-
Detect Neshta payload 18 IoCs
resource yara_rule behavioral2/files/0x0007000000023249-12.dat family_neshta behavioral2/files/0x0007000000023249-14.dat family_neshta behavioral2/memory/4380-16-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/files/0x0007000000023249-17.dat family_neshta behavioral2/memory/4380-47-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-49-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/files/0x000700000002324d-131.dat family_neshta behavioral2/memory/4380-141-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-143-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-144-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-145-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-146-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-147-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-148-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-149-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-150-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-151-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta behavioral2/memory/4380-152-0x0000000000400000-0x000000000042B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation aaaa.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation GTA 5 Mod Menu v2.10.5.exe -
Executes dropped EXE 2 IoCs
pid Process 4380 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" GTA 5 Mod Menu v2.10.5.exe -
Obfuscated with Agile.Net obfuscator 5 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4008-42-0x00000000053B0000-0x00000000053D0000-memory.dmp agile_net behavioral2/memory/4008-43-0x00000000053F0000-0x000000000544A000-memory.dmp agile_net behavioral2/memory/4008-44-0x0000000005170000-0x000000000517E000-memory.dmp agile_net behavioral2/memory/4008-45-0x0000000005470000-0x00000000054DE000-memory.dmp agile_net behavioral2/memory/4008-46-0x00000000054E0000-0x0000000005622000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ixvjffdjqz = "C:\\Users\\Admin\\AppData\\Roaming\\Ixvjffdjqz.exe" aaaa.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 316 set thread context of 3616 316 aaaa.exe 87 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MIF4FD~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~2.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MIA062~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13177~1.11\MICROS~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MID1AD~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~4.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe GTA 5 Mod Menu v2.10.5.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe GTA 5 Mod Menu v2.10.5.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com GTA 5 Mod Menu v2.10.5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" GTA 5 Mod Menu v2.10.5.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe 4008 GTA 5 Mod Menu v2.10.5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 316 aaaa.exe Token: SeDebugPrivilege 3616 aspnet_compiler.exe Token: SeDebugPrivilege 4008 GTA 5 Mod Menu v2.10.5.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 316 wrote to memory of 4380 316 aaaa.exe 86 PID 316 wrote to memory of 4380 316 aaaa.exe 86 PID 316 wrote to memory of 4380 316 aaaa.exe 86 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 316 wrote to memory of 3616 316 aaaa.exe 87 PID 4380 wrote to memory of 4008 4380 GTA 5 Mod Menu v2.10.5.exe 88 PID 4380 wrote to memory of 4008 4380 GTA 5 Mod Menu v2.10.5.exe 88 PID 4380 wrote to memory of 4008 4380 GTA 5 Mod Menu v2.10.5.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaaa.exe"C:\Users\Admin\AppData\Local\Temp\aaaa.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe"C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5ea84cad2bff8c263e6cf3f8f11b93c73
SHA10628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA5124959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67
-
Filesize
3.3MB
MD5ea84cad2bff8c263e6cf3f8f11b93c73
SHA10628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA5124959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67
-
Filesize
3.3MB
MD5ea84cad2bff8c263e6cf3f8f11b93c73
SHA10628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA5124959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67
-
Filesize
3.3MB
MD5064510a44c3c41ae42b2d3c19cb3075e
SHA1e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA25624989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA5128dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885
-
Filesize
3.3MB
MD5064510a44c3c41ae42b2d3c19cb3075e
SHA1e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA25624989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA5128dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885
-
Filesize
3.3MB
MD5064510a44c3c41ae42b2d3c19cb3075e
SHA1e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA25624989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA5128dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885
-
Filesize
3.4MB
MD5d135618e6963b7f5032053e385faee4a
SHA198901c512ecf3460bec867d24979ed18cfcbe95b
SHA2568d9e06447423812a9a47232368e3c70486ac959fcfad9d81718ba12b0cbaf4bc
SHA512806d478cd68f5884ac7b751f6da78183126437b8489e88ee1e14accc055a6416d10afae1f9d82ac7b087106fbb3074758bdbe3cf8a711fb668d36d9c19fe8eb5