Analysis
-
max time kernel
104s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:37
Behavioral task
behavioral1
Sample
aa1efe82b7a8462a234757d822dd2466.exe
Resource
win7-20231129-en
General
-
Target
aa1efe82b7a8462a234757d822dd2466.exe
-
Size
614KB
-
MD5
aa1efe82b7a8462a234757d822dd2466
-
SHA1
41fdc3584bfc507af135ad645b9c6fd4131b1bee
-
SHA256
7cca4f23bd94e5cf9208a12bae1d251a38365c73a89322de96aae09be86f40bf
-
SHA512
20e5ed625cf99b0af442d6067fb1b8c57a47d9f8d58b950b92ec1f98182e8e44ba125fc847f9c827fdde832f92a0345d077dca09dfa0c4043906507e59cb8c4c
-
SSDEEP
6144:k9npUgSbTLYf44yKHreU8L94jDV9ULoU8LSHP0x8Taj9j2kJDg:ipU1bTLpgLG9QDV9UESitDg
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 10 IoCs
resource yara_rule behavioral2/files/0x0006000000020037-30.dat family_neshta behavioral2/memory/3368-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-125-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-126-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-127-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3368-131-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" aa1efe82b7a8462a234757d822dd2466.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation aa1efe82b7a8462a234757d822dd2466.exe -
Executes dropped EXE 1 IoCs
pid Process 1436 aa1efe82b7a8462a234757d822dd2466.exe -
Loads dropped DLL 1 IoCs
pid Process 1436 aa1efe82b7a8462a234757d822dd2466.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aa1efe82b7a8462a234757d822dd2466.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1436-25-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/1436-27-0x0000000002270000-0x00000000032FE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" aa1efe82b7a8462a234757d822dd2466.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc aa1efe82b7a8462a234757d822dd2466.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE aa1efe82b7a8462a234757d822dd2466.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE aa1efe82b7a8462a234757d822dd2466.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com aa1efe82b7a8462a234757d822dd2466.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023210-4.dat nsis_installer_1 -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aa1efe82b7a8462a234757d822dd2466.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3368 wrote to memory of 1436 3368 aa1efe82b7a8462a234757d822dd2466.exe 90 PID 3368 wrote to memory of 1436 3368 aa1efe82b7a8462a234757d822dd2466.exe 90 PID 3368 wrote to memory of 1436 3368 aa1efe82b7a8462a234757d822dd2466.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
897KB
MD5355cb9870b5f65da1d11eaa3e8f40788
SHA16346a6d3aa55c39175c2bdaf67c0a89e8d383ab8
SHA256754d47f95ce671da871da32afa71fcf46868439e52e78e6eb29d085d5e2b141c
SHA512080a738294554ec2906be6c6abc1d49750e936779e624e7550ee9a837912d89592adb089ac6e5eb938ccd71a48947cb8f79ed3227ddb4ea0d66d3f6ac9751374
-
Filesize
574KB
MD5729b18ffd039c5574b2d9685401f42c8
SHA127ef6946fff89bf261b465a3364ca9b333fbadd2
SHA256a2ca75d551c5143691815c7b61ee2d7baa469cc758bf25d4344dad852c7a2162
SHA5123fcf6cf454caab2b943e4c419c228d9db156e3ab42a8879b1b13bf21de925180086bea5ff7cb2cf504c32f596c68d3e4af548c6acea5537f55d6ea32e8fc1de9
-
Filesize
10KB
MD505e52213cfa17dee760186462a9645ed
SHA1f6d5e82080bbba65db7d54e89250c95af833aae3
SHA256d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5
SHA512586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172