Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
PO No. 44 Master Group Trading & Contracting.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO No. 44 Master Group Trading & Contracting.exe
Resource
win10v2004-20240226-en
General
-
Target
PO No. 44 Master Group Trading & Contracting.exe
-
Size
815KB
-
MD5
77fceb05a851e129ceac74ad35a49669
-
SHA1
9b2d4653f5aa38a9fc64e0eca19268e4da547b79
-
SHA256
dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
-
SHA512
e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9
-
SSDEEP
24576:PRuoOBrBlsQJKlQA3fqRCAL3V6wREYy9mE:PL0Bld6QA3S0ALlbREYy9m
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2412-37-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2412-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2412-38-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO No. 44 Master Group Trading & Contracting.exedescription pid process target process PID 1928 set thread context of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 3064 powershell.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
PO No. 44 Master Group Trading & Contracting.exedescription pid process target process PID 1928 wrote to memory of 3064 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 3064 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 3064 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 3064 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 2672 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 2672 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 2672 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 2672 1928 PO No. 44 Master Group Trading & Contracting.exe powershell.exe PID 1928 wrote to memory of 2656 1928 PO No. 44 Master Group Trading & Contracting.exe schtasks.exe PID 1928 wrote to memory of 2656 1928 PO No. 44 Master Group Trading & Contracting.exe schtasks.exe PID 1928 wrote to memory of 2656 1928 PO No. 44 Master Group Trading & Contracting.exe schtasks.exe PID 1928 wrote to memory of 2656 1928 PO No. 44 Master Group Trading & Contracting.exe schtasks.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe PID 1928 wrote to memory of 2412 1928 PO No. 44 Master Group Trading & Contracting.exe PO No. 44 Master Group Trading & Contracting.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57A2.tmp"2⤵
- Creates scheduled task(s)
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"2⤵PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53134cb6dc9a251692a2eaaa7cb9057c8
SHA149c11ed40bd47093de6c669a87e406e330a258ce
SHA2563de4b4de41bed4518acb3300fb75eee0ca7e161f219224dca20d906f5cc8ef4a
SHA51257ca3c27f8b753c742007380494e4ac856ff56f9192e522f1e1906783e331597e36a520d887f18d5c74d5ce192c1310d84bf7b4280fe3ec0875787f0cf91e8f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56dbb8172127902b5a5212bf8a5f1b130
SHA1a6521de598c4c21d622337e52a07fe1ac193b134
SHA256ff078a34c3a7203233bde13e25a588c3d2f9bf1aae4cf2956a41a511a50ccee5
SHA512cc71cab7c6e9c73aa9c2b007c5f89b44cbe1a267013b6861b07a24223bcad8fa39bbbc5c66a78370f9b626ee017a600d4f90b88a0fc671d20488f57d9cd0e06c