Resubmissions
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 14:27
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20240426-en
General
-
Target
sample.exe
-
Size
5.4MB
-
MD5
3890b8381d0097b70797e484f40d0df3
-
SHA1
43f2196a11285902cab38264f64a0fd545161b44
-
SHA256
dfea487c68b65aafc445658ea66473de74997a46a9ebf5b0123d1031a2432305
-
SHA512
f3091690ce65f294b298014dbd4ee8e46f2de302d9aff3ba75c3caf801378debd840b65534f8a8edad58d72a92eb1119379f628e7bff86d63a738b79a945b722
-
SSDEEP
98304:U98aK6oZt3D1RkS5OS0yionLTKnVhoDXDDm4O5DBur00H6qfe:yrK6oLD1GN3Xo6sDX3lUlY0Y6qfe
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/4584-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4584-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4584-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation sample.exe -
Executes dropped EXE 1 IoCs
Processes:
sample.exepid process 5008 sample.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" sample.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exe agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE sample.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe sample.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe sample.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE sample.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe sample.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE sample.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE sample.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe sample.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE sample.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe sample.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe sample.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE sample.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe sample.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE sample.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE sample.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE sample.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE sample.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe sample.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE sample.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE sample.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe sample.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE sample.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE sample.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe sample.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE sample.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe sample.exe -
Drops file in Windows directory 1 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Windows\svchost.com sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" sample.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeBackupPrivilege 3528 dw20.exe Token: SeBackupPrivilege 3528 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
sample.exesample.exedescription pid process target process PID 4584 wrote to memory of 5008 4584 sample.exe sample.exe PID 4584 wrote to memory of 5008 4584 sample.exe sample.exe PID 4584 wrote to memory of 5008 4584 sample.exe sample.exe PID 5008 wrote to memory of 3528 5008 sample.exe dw20.exe PID 5008 wrote to memory of 3528 5008 sample.exe dw20.exe PID 5008 wrote to memory of 3528 5008 sample.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8323⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exeFilesize
5.4MB
MD5210394145368825b0ef292bcd95d5a1d
SHA1387f356a147164ecd876117cb1253d38c83e85d5
SHA256bd473bfba93df098187864352721b0386632cdce4c3368fbaae31b3d7bf3709c
SHA5128afeffedf643a07de5a441456b1a23cce98c481420ba10450400a7b719de6091776c2e81416e6fb722aabac047039f2459f573eef16330601f7aee3598f79b50
-
memory/4584-113-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4584-114-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4584-116-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5008-9-0x0000000073592000-0x0000000073593000-memory.dmpFilesize
4KB
-
memory/5008-10-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB
-
memory/5008-11-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB
-
memory/5008-18-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB