Analysis
-
max time kernel
88s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 07:06
Behavioral task
behavioral1
Sample
7996817746b878c92c5fc407a2d25b55.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7996817746b878c92c5fc407a2d25b55.exe
Resource
win10v2004-20231222-en
General
-
Target
7996817746b878c92c5fc407a2d25b55.exe
-
Size
1.3MB
-
MD5
7996817746b878c92c5fc407a2d25b55
-
SHA1
b1a2215278e263048f60d8663a1d8a3adea8e1a0
-
SHA256
2c2f87ce2d5f3f2e55272aa72b32fbdd30ef6886903266ae645ea9b1e08ab5f1
-
SHA512
f45f0a53aaf27e88ae9e36b5286bb64ddfdcd8724d202c99a26766afb90fc20fff012116ce2d9437d5371f87f8eb903d5b6ab7518103a07e85c9db6316d3813f
-
SSDEEP
24576:Bv35bLaP4xtPmUGjgdhkhsuxo5KYviBvtFiCGlt/C9Rt4nyDazxbZYTawquegN:x5phmUkgoXxoSBvWCGl8tEyDaZZYehgN
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
resource yara_rule behavioral2/files/0x0006000000020048-12.dat family_neshta behavioral2/memory/5008-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5008-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5008-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7996817746b878c92c5fc407a2d25b55.exe -
Executes dropped EXE 1 IoCs
pid Process 1196 7996817746b878c92c5fc407a2d25b55.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7996817746b878c92c5fc407a2d25b55.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE 7996817746b878c92c5fc407a2d25b55.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 7996817746b878c92c5fc407a2d25b55.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 7996817746b878c92c5fc407a2d25b55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7996817746b878c92c5fc407a2d25b55.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1196 7996817746b878c92c5fc407a2d25b55.exe 1196 7996817746b878c92c5fc407a2d25b55.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5008 wrote to memory of 1196 5008 7996817746b878c92c5fc407a2d25b55.exe 88 PID 5008 wrote to memory of 1196 5008 7996817746b878c92c5fc407a2d25b55.exe 88 PID 5008 wrote to memory of 1196 5008 7996817746b878c92c5fc407a2d25b55.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7996817746b878c92c5fc407a2d25b55.exe"C:\Users\Admin\AppData\Local\Temp\7996817746b878c92c5fc407a2d25b55.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7996817746b878c92c5fc407a2d25b55.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7996817746b878c92c5fc407a2d25b55.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5c2e2a3c34f7c18a025058ce3b3f43574
SHA14a4859ccce2daa29d481eb7b85f2b6d8a32d08fb
SHA25641c208baf07294fe664551ce66cd19234354e3bd86b9a1a376d037ee9abf8d19
SHA5126d983742ffb3d940290f8227ae259923a415c36c198bda5f4d6a88c3e8d924a350ca66dd766f5670b0f6bd47544586e98db204d33838313a31e2bb0e4b385229
-
Filesize
1.3MB
MD54d59dbdd3ffed0560fe92ca61a8cbb73
SHA1f367d5b3b6799d40bcd4f7e7c3031b6426ac1f1d
SHA25667dbac13c701bc2efdbf09b389ea85c3bc4a00d3f86854b835757d87766d38a6
SHA512102129ddd51dcc02ab406b93206f70769d30e252acf6e5bcdf1d4343ca3485dad4856bf047d6371080299f3fc694c09f487b1493964f528ad5d90486ae9562b6