Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
16/04/2024, 13:08
General
-
Target
Invoice and receipt.exe
-
Size
727KB
-
MD5
b4b32117b40b70fb1bfeab298ba44557
-
SHA1
a74707a387129c37ce14a7ebacd053a8864e2e7d
-
SHA256
6dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
-
SHA512
dbd3f35c3c6b3ebe18276672a607475d0a8a9999b1e666256a7dac3994367c35887109ba8e1106ea04eb2574d387ce9e198d7d2ac0b33fa85865850fad507906
-
SSDEEP
12288:61ta/jCVo69W+WkpmDodcb1NrOvPA/cxSgDXwJWTrDVylYtnh:g8/jCa69DpOodcbnrOw0ZwJWTrpUYL
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKgJBVbBBXr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKgJBVbBBXr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5aae23b4002755be35da73d5aa597bdc5
SHA193e3bb7907649f0db55fb5ba50586ff73095de6c
SHA256f78a9f80d2009989ba1a18efe735164654990e82347e506060d23923635cede8
SHA51201238e816d4084d61387e599a2d838371c496cc068e4228a60b2723837b27a16746870e38e1ea0770f211f19a6209b0ca33b493dcdc244ca65ccd4a4d10f93ce
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5ac0601449f945fbbe46be72ba77b6b26
SHA1eb573788c1a36970cc2beb6a1859725da9364cf2
SHA256db0273c2ee659047e7f7b952d356cf5ec21f7ac55db276dea102acf3862f107a
SHA5125c82a1dd4a95ce81e59f4e7619e6817ef4b53c6d2bf70e58bf92fdc4ac285a34b89877d42d9a7c5e6a72eea0c510adf8028184bc92af7d6959b4fd407ba05b8e
-
Filesize
686KB
MD53fa00cbe354dd01d622f28366fce6d25
SHA16657afd146e6f5cf936e1241a37b7003b144c8b8
SHA2567778a8371c01ac5d13f4d79626d081c6df59600701371ff168ee50bf7cf318a0
SHA512149098235d0e573b65846074e5ef44ef230d368497eb9abc546e5a0c37bb7670c6f48531b31ee6d33a4d9e200bfb8c467b0d68f7bb2b2ae0c2e2e51eadbc5b5a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5cbf294162f7dfd689ee2a5bb57046cb6
SHA1b075da25e1b7a13d2f977af9bae2393665d2a4b9
SHA256d1c9a5e15fefae410de80a5aa41a1fe9c7a65cd6d37d49b6ce718c005f0d1bf7
SHA512bea49f44376f57d9632b24c456196ec6a261605d2f0c5d6b82c84f4529de820be3af1803cfbb0232b076caa8812024fc2a0f704e5536720751449621ccc2f7b2
-
Filesize
727KB
MD5b4b32117b40b70fb1bfeab298ba44557
SHA1a74707a387129c37ce14a7ebacd053a8864e2e7d
SHA2566dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
SHA512dbd3f35c3c6b3ebe18276672a607475d0a8a9999b1e666256a7dac3994367c35887109ba8e1106ea04eb2574d387ce9e198d7d2ac0b33fa85865850fad507906
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
672KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
744KB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
560KB
-
Filesize
48KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
64KB