Analysis
-
max time kernel
95s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
16-04-2024 13:07
General
-
Target
Invoice and receipt.exe
-
Size
727KB
-
MD5
b4b32117b40b70fb1bfeab298ba44557
-
SHA1
a74707a387129c37ce14a7ebacd053a8864e2e7d
-
SHA256
6dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
-
SHA512
dbd3f35c3c6b3ebe18276672a607475d0a8a9999b1e666256a7dac3994367c35887109ba8e1106ea04eb2574d387ce9e198d7d2ac0b33fa85865850fad507906
-
SSDEEP
12288:61ta/jCVo69W+WkpmDodcb1NrOvPA/cxSgDXwJWTrDVylYtnh:g8/jCa69DpOodcbnrOw0ZwJWTrpUYL
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKgJBVbBBXr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKgJBVbBBXr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp638C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
328KB
MD5aae23b4002755be35da73d5aa597bdc5
SHA193e3bb7907649f0db55fb5ba50586ff73095de6c
SHA256f78a9f80d2009989ba1a18efe735164654990e82347e506060d23923635cede8
SHA51201238e816d4084d61387e599a2d838371c496cc068e4228a60b2723837b27a16746870e38e1ea0770f211f19a6209b0ca33b493dcdc244ca65ccd4a4d10f93ce
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD52d5e8de3fbcf7542929ef1dcb781dc20
SHA12e0a787ffdb66994aada6e49bcffc79d155974fc
SHA256cc80b8a008eb874ad215630377f2dd55be99f551fed38170569806cf49478723
SHA512dcd00f81dd0a1e932dc0c41d2dab5bee56ad7e8aa13f4df476b6cac8ffbc2fb9cc02783b8e4d0d270ad7c5a9d406d837cb237369e30be924aa200a2f875b87b8
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Invoice and receipt.exeFilesize
686KB
MD53fa00cbe354dd01d622f28366fce6d25
SHA16657afd146e6f5cf936e1241a37b7003b144c8b8
SHA2567778a8371c01ac5d13f4d79626d081c6df59600701371ff168ee50bf7cf318a0
SHA512149098235d0e573b65846074e5ef44ef230d368497eb9abc546e5a0c37bb7670c6f48531b31ee6d33a4d9e200bfb8c467b0d68f7bb2b2ae0c2e2e51eadbc5b5a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cu3gj1j5.41o.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp638C.tmpFilesize
1KB
MD5110cf5e1466e2411b5b2434a7b4a9268
SHA1d98bc44d3acc4ac980d65d6cb2022e5470a79a36
SHA256e9baa6286c3490a2caec2be84617f6b962e20ae9581c0ca3b6722f75a2bfad5a
SHA512a238e2ce61074639e4ac28ae8c6c49578c501defd0d5c0658ae783bc032e49ce21c1028914e8f3e6861fae7f727ac43434d0abca60744a8e41be92f1d3a3d701
-
C:\Users\Admin\AppData\Roaming\PKGJBV~1.EXEFilesize
727KB
MD5b4b32117b40b70fb1bfeab298ba44557
SHA1a74707a387129c37ce14a7ebacd053a8864e2e7d
SHA2566dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
SHA512dbd3f35c3c6b3ebe18276672a607475d0a8a9999b1e666256a7dac3994367c35887109ba8e1106ea04eb2574d387ce9e198d7d2ac0b33fa85865850fad507906
-
memory/2276-197-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2276-199-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2276-25-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2276-38-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2276-29-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2276-27-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2384-19-0x00000000059E0000-0x0000000006008000-memory.dmpFilesize
6.2MB
-
memory/2384-96-0x0000000070D40000-0x0000000070D8C000-memory.dmpFilesize
304KB
-
memory/2384-196-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB
-
memory/2384-18-0x0000000002FD0000-0x0000000002FE0000-memory.dmpFilesize
64KB
-
memory/2384-177-0x0000000007E80000-0x0000000007E88000-memory.dmpFilesize
32KB
-
memory/2384-174-0x0000000007EA0000-0x0000000007EBA000-memory.dmpFilesize
104KB
-
memory/2384-171-0x0000000007DA0000-0x0000000007DB4000-memory.dmpFilesize
80KB
-
memory/2384-17-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB
-
memory/2384-16-0x0000000002F30000-0x0000000002F66000-memory.dmpFilesize
216KB
-
memory/2384-126-0x0000000007D60000-0x0000000007D71000-memory.dmpFilesize
68KB
-
memory/2384-31-0x00000000061F0000-0x0000000006256000-memory.dmpFilesize
408KB
-
memory/2384-113-0x0000000007DE0000-0x0000000007E76000-memory.dmpFilesize
600KB
-
memory/2384-20-0x0000000002FD0000-0x0000000002FE0000-memory.dmpFilesize
64KB
-
memory/2384-40-0x0000000006260000-0x00000000065B4000-memory.dmpFilesize
3.3MB
-
memory/2384-108-0x0000000002FD0000-0x0000000002FE0000-memory.dmpFilesize
64KB
-
memory/2384-28-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/2384-26-0x0000000005870000-0x0000000005892000-memory.dmpFilesize
136KB
-
memory/2384-107-0x0000000002FD0000-0x0000000002FE0000-memory.dmpFilesize
64KB
-
memory/2384-94-0x000000007FA90000-0x000000007FAA0000-memory.dmpFilesize
64KB
-
memory/4664-109-0x00000000073B0000-0x00000000073BA000-memory.dmpFilesize
40KB
-
memory/4664-78-0x00000000026D0000-0x00000000026E0000-memory.dmpFilesize
64KB
-
memory/4664-66-0x00000000065F0000-0x0000000006622000-memory.dmpFilesize
200KB
-
memory/4664-65-0x000000007F270000-0x000000007F280000-memory.dmpFilesize
64KB
-
memory/4664-67-0x0000000070D40000-0x0000000070D8C000-memory.dmpFilesize
304KB
-
memory/4664-186-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB
-
memory/4664-77-0x00000000065D0000-0x00000000065EE000-memory.dmpFilesize
120KB
-
memory/4664-166-0x0000000007570000-0x000000000757E000-memory.dmpFilesize
56KB
-
memory/4664-83-0x0000000007220000-0x00000000072C3000-memory.dmpFilesize
652KB
-
memory/4664-63-0x0000000006020000-0x000000000603E000-memory.dmpFilesize
120KB
-
memory/4664-95-0x0000000007980000-0x0000000007FFA000-memory.dmpFilesize
6.5MB
-
memory/4664-21-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB
-
memory/4664-97-0x0000000007340000-0x000000000735A000-memory.dmpFilesize
104KB
-
memory/4664-22-0x00000000026D0000-0x00000000026E0000-memory.dmpFilesize
64KB
-
memory/4664-24-0x00000000026D0000-0x00000000026E0000-memory.dmpFilesize
64KB
-
memory/4664-64-0x0000000006240000-0x000000000628C000-memory.dmpFilesize
304KB
-
memory/5088-41-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB
-
memory/5088-11-0x0000000008D50000-0x0000000008DEC000-memory.dmpFilesize
624KB
-
memory/5088-10-0x00000000064F0000-0x000000000657C000-memory.dmpFilesize
560KB
-
memory/5088-9-0x0000000005410000-0x000000000541C000-memory.dmpFilesize
48KB
-
memory/5088-8-0x0000000005400000-0x0000000005408000-memory.dmpFilesize
32KB
-
memory/5088-7-0x00000000053C0000-0x00000000053D2000-memory.dmpFilesize
72KB
-
memory/5088-5-0x0000000005260000-0x000000000526A000-memory.dmpFilesize
40KB
-
memory/5088-4-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/5088-6-0x0000000006940000-0x00000000069E8000-memory.dmpFilesize
672KB
-
memory/5088-3-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/5088-0-0x00000000007F0000-0x00000000008AA000-memory.dmpFilesize
744KB
-
memory/5088-2-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/5088-1-0x00000000747E0000-0x0000000074F90000-memory.dmpFilesize
7.7MB